Proof-of-Stake vs. Proof-of-Agreement: Stellar's Security Edge

In PoS blockchains, entities known as “validators” serve two distinct roles. On every ledger, one validator will be selected to be the “leader” or “block proposer.” This leader node assembles a block on its own, which is then sent off to the rest of the validators to be verified and added to the blockchain. While the rest of the validator nodes can check that each transaction in the block is valid (i.e. does not result in a double spend, contains valid signatures, etc), the network has no way of detecting how the block was built. This means that when a validator is selected to be a block leader, they have total authority over reordering, inserting, or censoring transactions.

Normally, if a validator tries something malicious when building blocks, the network will “slash” their stake, a process where the malicious actor loses the initial “deposit” they put up to be a validator. This can either occur automatically as part of network protocol, or via a social vote, where validator operators decide to slash a particular validator. But what if an attacker can earn more from an attack than the stake they put up? In such cases, the economic deterrent fails.

A stark example occurred in 2023: attackers spent a relatively small amount on their stake (on the order of tens of thousands of dollars) to become an Ethereum block producer and then launched an exploit against the MEV-Boost relay network that netted them around $25 million in stablecoins (Brothers Accused of $25M Ethereum Exploit as U.S. Reveals Fraud Charges). The attackers spun up 16 validator nodes and staked enough ETH to become a block producer. When it was the attackers’ turn to produce a block, they exploited a bug in MEV-Boost, which allowed them to gain access to transactions that were particularly vulnerable to a MEV attack.

Essentially, the attacker broke the rules of block production. However, the block itself was valid. This means the Ethereum network validated the block and executed the transaction that stole funds. Only after the malicious block had already been executed, the network realized the attacker violated the rules of block production and “slashed” the attackers’ stake. However, the actual transactions executing the theft were not reverted. The result was the attackers lost a stake of about $10,000 worth of ETH, but stole $25 million of stable coins and liquid cryptocurrencies.

This attack highlights the magnitude of power block producers have over a network, as only the contents of the block are verified, not the process used to construct it. If a block proposer can earn more money by attacking the network than they lose from slashing or devaluing their stake, the “stake as security” assumption falls apart. Even authorities recognized the severity of this issue – in the indictment of the above attack, U.S. prosecutors remarked that the mere existence of such exploits “calls the very integrity of the blockchain into question.” In short, PoS economically incentivizes good behavior, but those incentives can be overcome by outsized illicit rewards, especially when the value of the bounty significantly outpaces the value of staked crypto assets.

PoS security further assumes that validators are economically rational – i.e., they won’t act in a way that harms the network unless the financial reward outweighs the loss. But what if an attacker isn’t motivated by profit at all? In geopolitical contexts, hostile state actors might willingly absorb financial losses to compromise a blockchain if doing so advances their strategic objectives. Against such 'irrational' attackers operating outside the profit-loss framework, PoS mechanisms offer no inherent protection.

Imagine a scenario where a major economy integrates PoS based financial infrastructure, for example, the United States using a PoS chain for payments or settlements. An adversarial nation-state could view disrupting this blockchain as a national competitive advantage, even if it meant burning money to do so. They might quietly accumulate a large amount of the network’s stake (or otherwise compromise validators) and then launch a 51% attack or persistently censor/block transactions, not for profit but to cause chaos. Nothing in PoS prevents an actor with enough stake from attacking the network “irrationally.” In other words, PoS’s security falls apart if an attacker is willing to incur financial costs to achieve a non-financial objective.

This is increasingly concerning with the advent of staking pools and liquid staking. For example, the Lido staking pool alone accounts for about 27% of all staked Ethereum. Leveraged staking has also become more common via “restaking,” where the value of the staked asset is levered, making both profitable and “irrational” attacks even more feasible.

Why are the above attacks possible? A fundamental issue is that PoS allows anonymous or pseudonymous participation in block production. In most PoS networks, anyone who acquires the minimum required stake (i.e., acquires enough money) can become a validator. This feature is intended to improve openness and decentralization, but it also means bad actors can infiltrate the validator set as easily as honest actors (so long as they have the funds).

In a PoS system, validator identities are just numerical addresses with stake attached. The protocol does not know if a given validator is a reputable institution, a hobbyist, or a hacker – money is the only “entry ticket.” As a result, the network inherently trusts anonymous stakeholders. An attacker can therefore buy stake directly (potentially accumulating it under many pseudonymous addresses) or “borrow” stake via staking pools and become a block producer without others realizing an adversarial actor is inside. The 2023 MEV-Boost attack listed above is a prime example of this: malicious validators went undetected within the network until after they had already proposed and executed the exploitative block, by which time the damage was irreversible.

This anonymous validator model leaves PoS networks vulnerable to various block producer attacks:

• Censorship: A validator (or cartel of validators, such as a staking pool or specific client implementation) can choose to exclude or delay certain transactions or addresses. If, for instance, a group of attackers control a significant share of stake, they could start omitting transactions from a target (say, a specific user or exchange) from the blocks they produce. There’s no built-in rule in most PoS protocols that forces a validator to include any given transaction – liveness of transactions is not guaranteed. In Ethereum, if some validators censor, normally others will include the transactions later, but if a censoring group is large enough (or well-coordinated), it could effectively block a transaction or smart contract indefinitely. Nothing in PoS’s design inherently stops this; it relies on the assumption that such behavior is against the economic self-interest of validators. But as discussed, that assumption may not hold if the validators have other motives.
• MEV and reordering: By default, the validator who produces a block has full control over that block’s transaction ordering. In a process called “Maximum Extractable Value” (MEV), block producers can insert their own transactions (e.g. to snipe an NFT or front-run a trade) before others, a practice widely observed in Ethereum and Solana’s DeFi ecosystem. Honest validators might outsource transaction ordering to fair ordering protocols or MEV relays, but a malicious validator can simply ignore those and reorder transactions for maximum personal profit, and even these “honest” relays extract value from user transactions. PoS doesn’t prevent this – in fact, it arguably encourages validators to seek extra revenue from MEV since MEV profit often dominates block rewards. The result is a continual tug-of-war where validators (even honest but profit-seeking ones) extract value at users’ expense, and malicious ones can go even further to exploit any relay or protocol bugs (as the $25M attack demonstrated).
• Sybil attacks on governance: In some PoS chains, validators also vote on governance or network upgrades. An anonymous actor could register multiple validators (Sybil identities) if they have enough stake, potentially influencing governance or elections in the network in dishonest ways. Again, the network only sees stake weight, not who is wielding it.

In summary, the core weakness of PoS is that “stake” is a purely economic credential, not an identity or reputation credential. The protocol treats a dollar of stake from a hacker the same as a dollar of stake from a regulated bank or a well-known community member. This makes the system vulnerable to infiltration. PoS will faithfully hand the block-producing keys to any account with sufficient stake, even if that account intends to abuse the position. Economic penalties (slashing, loss of rewards) are the primary defense, but as we saw, those can be outweighed or outright ignored by certain attackers.

These attack vectors are not just limited to PoS, but also apply to Proof-of-Work (PoW) consensus algorithms. Instead of putting up money as stake like PoS, PoW effectively uses compute power as the ticket to entry. In PoS, anyone with money to stake can manipulate blocks. With PoW, anyone with enough compute power can manipulate blocks. In both cases, block producers are unvetted and anonymous, and any entity with enough stake (in the case of PoS) or compute (in the case of PoW) can front-run, censor, and manipulate blocks. While Bitcoin is often touted as one of the most decentralized chains, a single mining pool controls 36.5% of all network compute, meaning even Bitcoin is not safe from these attacks.

Stellar takes a very different approach with its Proof-of-Agreement (PoA) consensus (implemented via the Stellar Consensus Protocol). PoA addresses the above issues by requiring that validators be trusted by other validators in the network, rather than simply anyone with funds. In Stellar’s model, there is no concept of staking tokens or paying a price to become a validator. Instead, validators must earn their “seat at the table” through the agreement of existing participants.

Trusted Membership vs. Anonymous Membership

In Stellar’s PoA, the network is open to anyone, but joining the consensus requires trust. Every Stellar validator maintains a list of other validators it trusts. When deciding what blocks to accept, a validator listens to votes from its trusted set. If you’re a new validator, you only influence the network if some established validators add you to their trusted lists. An unknown entity can turn on one or even many Stellar nodes, but if no one knows or trusts it, its votes don’t count in practice. The new node can still broadcast their votes to the network, but if nobody trusts them, the votes are simply ignored. This design blocks anonymous attackers from suddenly becoming block producers overnight. An untrusted attacker, no matter how powerful their computers or how much money they have, cannot force their way into consensus.

Crucially, Stellar is not permissioned in the traditional sense – there’s no central authority, security council, or gatekeeper picking validators. The network is dynamic and decentralized, anyone can run a Stellar validator and try to persuade others to trust it. In fact, the Stellar network has grown to include many independent organizations running validators. But because each organization chooses whom they trust, the only way to maliciously influence the Stellar network is to somehow convince a majority of trusted validators to trust you – a far higher bar than simply buying tokens. In practice, Stellar validators tend to be well-known companies, exchanges, fintech institutions, and the like, who have built up mutual trust.

In essence, Stellar “stakes” social reputation rather than tokens. This creates a very different security model. Gaining a large share of influence in Stellar means gaining the sincere trust of many independent parties, which is hard to do for a bad actor. By contrast, gaining a large share of a PoS network might only require deep pockets. Moreover, because Stellar validators are usually known entities with reputations to protect, they have a strong incentive to behave honestly. It’s not an anonymous plutocracy; it’s a consortium of participants who know that their identity is attached to their actions.

In some ways, PoA actually gives more control and decentralization to validator operators. PoS validators are forced at the protocol level to trust and accept votes from other anonymous validators if they have enough stake. Even if your validator disagrees with the other validators, if the others have enough stake, your validator’s opinion is overridden. In PoA, validators have total control over what votes they accept. Each organization chooses who they trust and a validator will never have its own vote overridden by untrusted peers.

Modern PoS requires Reputation Too!

While social reputation is core to PoA, in practice, PoS also relies on social trust. Ethereum has had to rely on “social” remedies before, such as forking after the DAO Hack to retrieve funds and the emergency fork during the Shanghai Attacks. The advent of delegated staking has also increased the level of social trust in PoS, where individuals lend their tokens to be staked by “trustworthy” organizations. The truth of the matter is social trust is intrinsic to any blockchain, whether that be trusting delegated stakers, trusting a CEX, trusting that stable coins are sufficiently backed, or even trusting that a transaction submitted to the mempool will eventually be included. Instead of implicit social trust, with significant opportunities for malicious behavior, PoA puts this trust front and center.

No Anonymous Block Producers = Fewer Attacks

How does PoA sidestep the specific issues we highlighted in PoS?

• Lack of MEV Networks: Because PoA is not based on economic incentives, Stellar validators collect no monetary reward for producing blocks. Validators are not competing to maximize fees, but their incentive is to keep the network reliable (many validators are businesses building on Stellar, so their incentive is the network’s health, not a few extra tokens in a block). Additionally, transaction ordering on Stellar is not subject to a single party’s whim. If two validators see transactions in different orders, consensus will determine a consistent, randomized order, effectively neutralizing any advantage from one party trying to rush a transaction in at the last minute. In practice, this makes the typical MEV “sandwich attacks” common on Ethereum and Solana much more difficult on Stellar. While some forms of MEV may still be possible on the Stellar network, randomized block order and the lack of economic validator incentives mean the Stellar network does not have block auctions or MEV networks, like Flashbots on Ethereum or Jito on Solana.
• Censorship resistance: Because Stellar requires overlapping agreement from groups of validators, it’s tough for a single actor to censor transactions. If one validator refuses to include a given transaction, others in its quorum will include it and the network will still reach agreement (the dissenting validator would simply be outvoted in that round). Only a wide collusion of many trusted validators could censor a transaction – but orchestrating such collusion would be highly visible and against the interests of these known entities. Unlike in PoS, where anonymous validators might collude in secret, in Stellar, any attempt at censorship would involve organizations whose names and reputations are on the line. This social transparency is a powerful deterrent. If, say, a group of validators on Stellar started censoring certain users, the rest of the validators’ community would notice and could remove trust from those validators, cutting them out of consensus. Thus, malicious behavior leads to immediate loss of influence – a form of “slashing” far more devastating than losing a few tokens, since it means trusted peers literally ignoring the bad actor’s node going forward. After all, on Stellar, the validator can’t just spin up a new node and restake again!
• Defense against irrational or state-level attacks: PoA significantly raises the cost and complexity of an attack by a determined adversary. Instead of just buying tokens on the open market and amassing a big enough stake, an attacker would need to infiltrate or subvert multiple trusted organizations. For example, an attacker might try to spin up many nodes and get others on the network to trust them – but the existing validators are unlikely to all spontaneously trust a brand-new entity with no track record. The protocol itself in Stellar wouldn’t let an attacker with fake identities take over unless they had already breached the social trust network. In short, PoA isn’t reliant solely on economic rationality; it leverages human trust networks as a firewall. A nation-state attacker would find it much harder to marshal trust than to buy tokens.

By making it hard for anonymous, untrusted actors to produce blocks and not relying on economic incentive, Stellar’s PoA largely prevents MEV exploitation and makes coordinated attacks and censorship much more difficult. PoA remains decentralized (many independent parties participate, with no central boss) and is highly secure against the kinds of opportunistic exploits and irrational attacks that currently threaten PoS chains.