I’m following up some comments posted at `bitcointalk.org` which were responding to [my critique](https://steemit.com/cryptocurrency/@anonymint/re-anonymint-re-anonymint-scaling-decentralization-security-of-distributed-ledgers-20190209t143757701z) of MimbleWimble/Grin (to which this comment replies), and the emission schedule digression below is specifically w.r.t. Grin’s implementation of MW (and other implementations that copy theirs).

@**sandinthebones** [wrote](https://bitcointalk.org/index.php?topic=5090427.msg49726001#msg49726001) (also [archived](https://web.archive.org/web/20190214093100/https://bitcointalk.org/index.php?topic=5090427.960#msg49726001)):

>> Disadvantages of MW:
>> […]
>> No scripting possible, so no smart contracts nor atomic cross-chain transactions (but there’s a way to achieve HTLCs but not multi-hop off-chain networks such as Lightning Networks (LN)).
>
> and quote from https://www.grin-forum.org/t/much-of-the-technology-behind-grin/127
>
>> Scriptless scripts. MimbleWimble can’t allow Bitcoin-style scripts. In theory this should be very limiting. But in practice, leveraging Schnorr signatures, we can re-introduce multiple types of smart contracts. Inluding the basis for lightning network and…
>>
>> Atomic swaps. One type of scriptless script that allows exchanging grins with other cryptocurrencies trustlessly.

Note I corrected that listed disadvantage in [my MW/Grin critique](https://steemit.com/cryptocurrency/@anonymint/re-anonymint-re-anonymint-scaling-decentralization-security-of-distributed-ledgers-20190209t143757701z), to indicate that only scripted scripts aren’t possible.

I did note in the edit that the statement that atomic exchange wasn’t possible came directly from Andrew Poelstra in his earlier video presentation which I had cited (and the link is still there if anyone wants to verify Andrew’s culpability for the error). Thus Andrew is now refuting his earlier statement based on new ideas he has presented. Apparently Andrew did not grok the HTLC concepts well when he made that earlier cited statement which I had based that item of my post on:

Andrew Poelstra [wrote](https://lists.launchpad.net/mimblewimble/msg00022.html):

> I don't really know how HTLC's work, but this matches my understanding

I actually think that was a very minor point in terms of my overall critique of MW. I do appreciate @**sandinthebones**’ correction.

Correct peer review is always appreciated. However what we have below are more examples of technologically ignorant shills making incorrect (and ad hominem) statements. This is one of the aspects of `bitcointalk.org` which lowers its value for meaningful discussions. And primarily the reason [I have requested](https://bitcointalk.org/index.php?topic=1887077.0;all#msg49722298) that they not remove my perma-ban from that site.

What is especially disingenuous about the comments below is these political-hacks cherry-pick the least important claim in my prior post. Instead of addressing the major weaknesses, they try to misdirect the focus of the reader onto the least relevant issues, so the reader is fooled into believing that the major points I have made are also somehow not compelling. This is a well known political strategy for fooling people.

The main weaknesses I enumerated for MW basically are more generally summarized:

* The anonymity/privacy is not the best (for the numerous enumerated reasons, not just the following).
* It’s not transaction scaling, rather it’s only validation scaling.

**Tangentially Note:** My market positioning conjecture is that given the above, MW’s raison d'être is dubious. Contrast this with for example the raison d'être demand for Binance coin (ticker `BNB`), which provides a 25% discount on trading fees (if employed to pay the fees) on the fastest growing and arguably the best exchange with numerous pairs of numerous altcoins which is [deploying their $0.5 billion in profits to buyback](https://www.ccn.com/crypto-exchange-binance-bnb-private-currency-revolution) the Binance `BNB` token. Binance coin has been entirely counter correlated to the entire rest of the cryptocosm and has been rising duing the entire crypto winter! Because it has real demand! Imagine that, a real use case! The math geeks usually don’t excel at marketing and business because they think nifty math is the hammer for every nail.

For example, snotty kids¹ may not understand that my point about the declining relative value of the minted tail reward² (because it becomes an inexorably smaller proportion of the money supply) is most applicable to the context of a 50+% attack being able to deanonymize mix sets (except for zk-snarks/zk-starks will have unbounded mix sets) wherein the miner can spam the mix sets because the adversarial miner(s) can pay the transaction fees to themselves (thus no cost of spamming and if necessary they control what goes into any limited blocksize). When someone’s anonymity is crucial to avoiding being persecuted or other heinous outcomes, they can’t risk the chance of these vulnerabilities. And again, this tangential point I made wasn’t even the most significant of the weaknesses I listed, as evident by the caveat I attached to it, “Note this _posited_ insecurity is a problem **<code><i>perhaps</i> a decade or two from launch</code>** when the constant minted reward has become a [relatively] small tail reward [value].”

@**kingcolex** [wrote](https://bitcointalk.org/index.php?topic=5090427.msg49728811#msg49728811) (also [archived](https://web.archive.org/web/20190214092904/https://bitcointalk.org/index.php?topic=5090427.980#msg49728811)):
> @**Hueristic** [wrote](https://bitcointalk.org/index.php?topic=5090427.msg49726390#msg49726390) (also [archived](https://web.archive.org/web/20190214092904/https://bitcointalk.org/index.php?topic=5090427.980#msg49726390)):
>> Meh, shitload of conjecture argued as if it were facts as usual.
>>
>>> The money supply grows more slowly over time, so the decline decelerates into a small tail reward and thus a **`dubious level of security`**
>>
>> [bolded text is] Bullshit.
>
> Yeah it doesn't make too much sense now does it? If the security was low then difficulty would be low too and people back to mining.

Drooling fanboys¹ may fail to understand how proof-of-work operates, and flunk the most rudimentary level of education on proof-of-work.

The profitable hashrate demand for mining (and thus the difficulty level) adjusts to the value of the mining reward available. If that reward is too low, then the chain is vulnerable to rented hashrate attacks which are unprofitable in terms of the cost of rewarded tokens, but are profitable due to some externalities (such as the ability to double-spend or short the market). That the difficulty level adjusts upward to the rented hashrate attack is not relevant to my point about security because a 50+% (aka 51%) attack exists in this case regardless of the rise of the difficulty level. (Note the rising difficulty level will prevent accelerated mining but that obviously wasn’t the posited security vulnerability)

I will quote as follows from [my critique of](https://steemit.com/blockchain-scaling/@anonymint/lightning-networks-must-fail-if-it-succeeds) Lightning Networks to make this rebuttal more irrefutable in the minds of readers who have a functioning brain stem:

---

> The unavoidable invariant is that PoW requires significant funding for miners in order to bolster the security of the longest chain [against rented hashrate attacks](https://media.consensys.net/the-current-cost-of-51-attack-on-proof-of-work-blockchains-91f87dbc1073). The [$multimillion Bitcoin Gold 51% attack](https://news.ycombinator.com/item?id=17173051) eight months ago and Ethereum Classic’s [recent 51% attack](https://cryptoslate.com/ethereum-classics-51-percent-attack-highlights-challenges-proof-work-coins/) highlights the critical importance of funding security adequately.

---

The above are recent examples of 50+% attacks due to inadequate mining rewards. So this is not conjecture. The contemplated vulnerability actually occurred numerous times already.

Regarding the _“Meh, shitload of conjecture argued as if it were facts as usual.”_, peer review consists of refuting statements with facts. My statements about the technological weaknesses are the facts. If anyone thinks otherwise, the onus is on them to make factual statements refuting my assertion of the facts. Ad hominen drooling from fanboys¹ who flunked even the most rudimentary understanding of blockchains doesn’t qualify as peer review.

As for the conjecture in my post about the market positioning for Grin (and other MW systems), I would like to see some well thought out counter points. Ad hominem doesn’t qualify as reasoning.

¹&nbsp;<sub>These are relevant to the rebuttal statements of fact and thus not ad hominem. Wikipedia defines, “Ad hominem (Latin for ‘to the person’), short for argumentum ad hominem, is a fallacious argumentative strategy whereby genuine discussion of the topic at hand is avoided by instead attacking the character, motive, or other attribute of the person making the argument, or persons associated with the argument, rather than attacking the substance of the argument itself.”</sub>

²&nbsp;<sub>Note although transaction fees also augment the miners’ reward, there’s been [some published research](http://randomwalker.info/publications/mining_CCS.pdf) (c.f. also [my explanation](https://gist.github.com/shelby3/e0c36e24344efba2d1f0d650cd94f1c7) of it) that the incentives compatibility of proof-of-work is dubious as the minted reward declines relative to the reward from transaction fees. Even Grin [links to that research](https://github.com/mimblewimble/grin/wiki/fees-mining) in their justification for an inexorable tail reward. But instead of making this a percentage of the money supply (as Monero does), they chose instead inexorably declining. The above cited research concludes that as incentives compatibility fails for proof-of-work due to too low of a minted block reward, a mining oligarchy must take control over the blockchain, else it forks off in a very high orphan rate that can stall or highly delay the confirmations. Nobody knows what level of minted tail reward will suffice and for one reason is that no one knows what the reward from transaction fees will be (as that depends on demand). Bitcoin has this same flaw, but at least it doesn’t impact anonymity. And thus Bitcoin must and will become ruled by a mining oligarchy in the future for that reason and also [reasons I cited recently](https://steemit.com/steemit/@anonymint/re-smooth-re-organduo-organduo-re-sharpshot-re-madalchemist-re-ned-re-isnochys-re-fulltimegeek-re-ned-the-guiding-mission-vision-and-values-of-steemit-inc-20190205t205651863z) in a discussion with @smooth.</sub>

---

I see there was some follow-up attempts to refute my clarifications above.

@**kingcolex** [wrote](https://bitcointalk.org/index.php?topic=5090427.980#msg49746938):

> A decade or two? In crypto we have already found out if this coin would be a winner or a loser, we would already be on Gen 6+ asic but also he contradicted himself on Grin.

You’re at least removing the ad hominem so I will also. Yet it’s still extremely noisy when you respond without carefully reading what I already wrote. Did you not notice that “[against rented hashrate attacks](https://media.consensys.net/the-current-cost-of-51-attack-on-proof-of-work-blockchains-91f87dbc1073)” links to NiceHash which is a marketplace that matches sellers to buyers for renting mining hashrate provided by CPUs, GPUs and ASICs.

Rented hashrate attacks aren’t limited to CPU-only or even GPU-only mined blockchains.

> he has valid points but that’s mostly at shitcoins that are pump and dumps on life support. If a rented hashrate can take you out then you're not strong enough

Again you apparently didn’t click the links I provided, because there’s a [table listing the cost to attack](https://www.crypto51.app/) extant altcoins with rented hashrate and nearly all of the proof-of-work altcoins are vulnerable, except Bitcoin, Ethereum, Litecoin and Zcash.

>> such as against rented hashrate attacks and the Cuckoo cycle may be vulnerable to botnets while it’s ASIC resistant
>
> So their implementation of a constant reward would help prevent a rented hash attack for a decade or two but it’s vulnerable during it’s asic resistance which is planned to switch within two years?

Firstly, may be vulnerable to rented hashrate or botnet attacks during the fledgling adoption stage even though the minted mining reward is relatively higher w.r.t. the money supply than it will be in the future, but probably any botnets will simply be used to amass tokens for dumping later.

I didn’t know that there’s a plan to change from ASIC resistant Cuckoo cycle to ASIC friendly PoW after two years. Doesn’t necessarily change my point that as the minted mining reward inexorably declines in relative value to the money supply (and thus to the market capitalization), eventually the non-transaction fee portion of the mining reward could become too low to either protect against rented hashrate attacks or insure incentives compatibility for convergence on a longest chain (absent a mining oligarchy to prevent the game theory of bribing other miners with transaction fees). Just because the PoW algorithm changes doesn’t resolve the economic value and game theory dilemmas.

Apparently you had your mind only focused on rented botnet attacks. There many different variables in play here, such as the incentives compatibility research I linked to.

> This is totally a possibility for if gpuminers split and there are no fpga/asic users but then who are the losers? Bag holder fanboys of a dying shitcoin? Do we even care then?

Do you understand that Ethereum Classic was recently 51% attacked. And I do believe GPUs mine it. Is Ethereum Classic a shitcoin? Seems to me Ethereum (and thus also Classic) has potentially many more use cases and better market position of needed utility than dubious market position need for massive pruning on a HODLer store-of-value with no transaction scaling and arguably not the best anonymity. Bitcoin already won’t be relinquishing the HODLer store-of-value market to any altcoin. Note I’m not an Ethereum fan and my next post on this blog will be a critique of Ethereum’s abysmal state of scaling research. I did explain in my critique post that the wealthy can afford to download and validate Bitcoin. AFAICT, they don’t need massive pruning. And they don’t need you and I on Bitcoin either. And my conjecture is that our geek circle of cyberpunks do not constitute a large enough market to enable Grin to keep pace with other altcoins that are positioned to target larger markets.

Note Grin will likely attain a Top 20 (or perhaps Top 10) ranking for a while because our cyberpunk geek circle still has some influence on speculation markets. Yet I think the crypto market will mature and adoption will broaden over this decade. Where I wrote “dubious”, I didn’t mean useless or entirely incapable. I wouldn’t insult @**tromp** who has been friendly with me in past discussions. I don’t anticipate Grin being one of the Top 3 that becomes a significant global phenomenon.

If my analysis of the anonymity technologies in play ends up incorrect and somehow Grin’s anonymity is deemed objectively superior to Monero’s, Grin could displace Monero in the Top 10. I think zk-starks are going to eventually displace Grin and Monero. I do much prefer the creative name Grin over Esperanto’s Monero.

My initial critique lacked this limited praise of Grin, because my post was intended to counter balance @**Theymos**’s anointment of Grin as the only altcoin accepted at `bitcointalk.org`. I have no vested interest (e.g. no Monero) other than I don’t want Grin to be falsely labeled as the scaling coin— it doesn’t scale transaction volume. I’m contributing to the development of a transaction scaling altcoin.

## Ethereum’s Plasma (et al)

<center>[![](https://i.imgur.com/sE1fd7a.png)](https://medium.com/@argongroup/ethereum-plasma-explained-608720d3c60e)</center>

In addition to their design teams ostensibly not accepting that social consensus (including the [paradigm of voting](https://steemit.com/steemit/@anonymint/re-smooth-re-organduo-organduo-re-sharpshot-re-madalchemist-re-ned-re-isnochys-re-fulltimegeek-re-ned-the-guiding-mission-vision-and-values-of-steemit-inc-20190205t205651863z) aka democracy) [is not a Nash Equilibrium](https://medium.com/@shelby_78386/the-caveat-though-is-that-when-the-attacker-can-fork-the-vested-interests-of-some-of-the-users-9340dd037a61), the underlying flaw in the [3+ years of](https://medium.com/@shelby_78386/the-state-of-scaling-in-ethereum-is-abysmal-df9ba6faecb) Ethereum’s [attempts to](https://www.technologyreview.com/s/612507/ethereum-thinks-it-can-change-the-world-its-running-out-of-time-to-prove-it/) scale such as for example in the ([now deprecated?](https://polkadot.network/PolkaDotPaper.pdf#page=3)) Casper/Slasher proposal, has been (as I [also explained](https://medium.com/@shelby_78386/i-dont-see-how-it-s-plausible-for-parallel-forks-of-the-hash-chain-to-be-finalized-concurrently-cb57afe9dd0a)) the inability [to model liveness](https://medium.com/@muneeb/peer-review-cbc-casper-30840a98c89a) formally ([combined with safety](https://github.com/cosmos/cosmos/issues/47#issuecomment-267313323)).

The more recent [Plasma proposal](https://coincentral.com/plasma-an-innovative-framework-to-scale-ethereum/)’s August 11, 2017 “working draft” [whitepaper](https://plasma.io/plasma.pdf) (which [allegedly](https://cryptoiq.co/ethereum-eth-failing-to-deliver-on-promises-leading-crypto-pundit-says/) recycles some of Peter Todd’s old Treechain proposal) also has a fundamental liveness flaw. Treechain was rejected because as Todd says, “Ultimately rejected as insecure. – fraud proofs are invalid and can hide large-scale financial fraud in small amounts of data.” An even more fundamental flaw is that fraud proofs do nothing to prevent 50+% collusion of the stake which can censor the fraud proofs. [Oligarchy control](https://busy.org/@anonymint/consortium-blockchains-e-g-dpos-and-tendermint-can-t-internet-scale) over proof-of-stake [is the norm](https://steemit.com/steemit/@anonymint/re-smooth-re-organduo-organduo-re-sharpshot-re-madalchemist-re-ned-re-isnochys-re-fulltimegeek-re-ned-the-guiding-mission-vision-and-values-of-steemit-inc-20190205t205651863z)¹ because there’s nothing-at-stake (i.e. no external resource irrevocably consumed) for [the power-law distribution of wealth](https://steemit.com/cryptocurrency/@anonymint/bitcoin-rises-because-land-is-becoming-worthless) (c.f . _§References_) which could enforce a Nash equilibrium of non-malevolent consensus. **And alternatively, there’s nothing in the proposed designs which enables the minority of the stake to fork off from the malevolent majority.**

There’s another flaw with fraud proofs which are designed to award the confiscated bond to the finder of the fraud. That is there’s no way to fairly to determine who found the fraud first. If the proof is sent unencrypted to the blockchain, then it can be intercepted and duplicated before confirmation of who was first. If it’s encrypted and then later the submitter reveals the decryption password after confirmation on the blockchain, then the cheater (whose bond is confiscated) can submit innumerable encrypted copies of the fraud proof and reveal the passwords when or if the others do.

Recursive zk-snarks or zk-starks [are being proposed](https://hackernoon.com/plasma-8bba7e1b1d0f) as a solution which is posited to eliminate the need for fraud proof challenges for asset transfers:

> Currently at the proof of concept stage, [Plasma Snapp](https://ethresear.ch/t/plasma-snapp-fully-verified-plasma-chain/3391) aims to effectively remove much of the complexity of Plasma integration through the use of ‘[zero-knowledge succinct non-interactive arguments of knowledge](https://z.cash/technology/zksnarks)’ (‘zk-SNARKS’), removing the need for confirmation signatures and even exit challenge games.²
>
> Vitalik has also [recently elaborated](https://ethresear.ch/t/on-chain-scaling-to-potentially-500-tx-sec-through-mass-tx-validation/3477) on the use of zk-SNARKS in scaling, providing a proposal that wouldn’t require transacting parties to always be ‘online’. This makes progress in solving the data availability issues that would be present within current Plasma implementations, which is caused by their liveness assumptions regarding eventual consensus¹.

But it’s not yet known if or when they’ll be viable for general Turing-complete smart contracts.

Yet even eliminating the need for fraud proofs doesn’t solve a remaining liveness flaw when sufficient validating nodes (in a shard) become (intentionally) unresponsive. The only recourse is a mass exit from the shard, and the adversary repeating this can be the basis of a denial-of-service attack (with the adversary profiting perhaps by shorting the market price). Or analogously a safety/consistency flaw where (due to nothing-at-stake) a majority of validating nodes claim that other validating nodes are unresponsive thus ignoring conflicting transactions. Proof-of-work never ignores work because there’s a burnt economic cost of doing so.

Thus, such unresponsiveness can’t be _deterministically_ penalized because it’s (in terms of what can be proven cryptographically³) indistinguishable from an attack where a majority of the validating nodes pretend the minority is unresponsive and cause the minority to forfeit their bonds. The threat of which forces all validating node into a colluding oligarchy in order to secure the promise of protection. But a promise is not trustless (aka trustproof) thus in actuality such a design lacks a (non-malevolent oligarchy) [Nash equilibrium](https://www.lesswrong.com/posts/yJfBzcDL9fBHJfZ6P/nash-equilibria-and-schelling-points).

Tangentially note that the **NOCUST – A Securely Scalable Commit-Chain**’s [_§3.2.5 Disputes_](https://eprint.iacr.org/2018/642.pdf#page=4) has the analogous underlying liveness flaw.

¹&nbsp;<sub>I [wrote](https://steemit.com/cryptocurrency/@anonymint/re-anonymint-scaling-decentralization-security-of-distributed-ledgers-part-4-20190204t050226078z) in response to a blog:</sup>

> <sup>[…] analyzing [**why Ethereum failed**](https://medium.com/coinmonks/why-ethereum-1-0-failed-and-bitcoin-succeeded-72e9594b9789) (other than as an ERC-20 ICO speculation [FOMO](https://en.wikipedia.org/wiki/Fear_of_missing_out) engine) to displace the _centralized_ Web 2.0, contrasted with Bitcoin successfully [disintermediating traditional stores-of-value](https://busy.org/@anonymint/bitcoin-rises-because-land-is-becoming-worthless)<sup>†</sup> and permissionless payments:</sup>
>
>> <sup>So what happens when a low-value application [(e.g. dApp transactions)] is on the same platform as a high-value application [(e.g. [power-law distributed wealth](https://busy.org/@anonymint/bitcoin-rises-because-land-is-becoming-worthless))]? Unless they both offer comparable economic value, the low-value application may be entirely priced out.</sup>
>
> <sup>Correct. The controlling oligarchy (or miners or stakers) in extant […] distributed consensus ledger systems (including PoW, proof-of-stake (PoS), and DAGs) must have a greater profit incentive to provide a secure ordering than could be obtained by (e.g. shorting the market and) attacking the security with for example double-spends and/or [transaction-fee tragedy-of-the-commons](https://steemit.com/blockchain-scaling/@anonymint/lightning-networks-must-fail-if-it-succeeds) outcomes. Extant systems thus maximize the extraction from token owners’ wealth that said users can be [fooled into participating in](https://steemit.com/steem/@anonymint/blog-rewards-can-t-be-widely-distributed). FOMO and [greater fool speculation](https://en.wikipedia.org/wiki/Greater_fool_theory) pumps being an example extraction paradigm.</sup>
>
>> <sup>With that said, there have been a few categories of dapps which have provided enough economic value to survive. Most notably they are gambling, decentralized exchanges for on-chain tokens, prediction markets, ICOs, and collateral-backed loans. What they share is that people are willing to pay on par with baseline transaction fee for these workflows. (It is not a coincidence that they involve moving potentially large sums of money at once.) The problem, however, is that these are niche applications whose values are way out of line.</sup>
>
>> <sup>0x, one of the most popular dex protocols, has collected only $2000 in lifetime transaction fees despite having a market cap of $160M […] Augur, the most popular prediction market, has only $40k staked in predictions yet has a $170M market cap.</sup>
>
> <sup>Indeed, the power-law distribution of wealth implies that only a small fraction of the tokens will transact. So transaction fees are a relatively smaller revenue stream (as compared to wealth-oriented return-on-investment, speculation, gambling, etc) even if dApps are eventually popular.</sup>
>
> <sup>So extant PoS systems are doomed because the stakers have much more incentive to extract wealth from the participants than to promote transaction volume growth.</sup>
>
> <sup>A flawed argument is there’s an incentive against malfeasance for all PoS systems because stakers should want growth of popular use-cases of the ledger. But given speculative demand trumped and so far exceeded non-speculative, non-wealth-based use-case demand, a greater incentive is to extract maximum wealth in the short-term, forsaking any long-term investment thesis (except for Bitcoin as a long-term HODL store-of-value wherein token price will rise enough to offset nominally but not faster than rise in transaction fees proportionally).</sup>

²&nbsp;<sub>A blog [explains](https://medium.com/@argongroup/ethereum-plasma-explained-608720d3c60e) the “exit challenges” but is otherwise is blind to the fundamental Plasma flaws.</sub>

³&nbsp;<sub>The fundamental [FLP theorem](https://www.the-paper-trail.org/post/2008-08-13-a-brief-tour-of-flp-impossibility/) is at the generative essence of why such attacks are not deterministically provable in an _inherently_ asynchronous network (i.e. regardless of whether the chosen consensus protocol is synchronous).</sub>