Ethereum’s client diversity: with 66% running Prysm, is The Merge safe to pursue?

Ethereum, the second-largest blockchain by market capitalization, is poised for a monumental shift later this year. The network, which underpins hundreds of billions of dollars in assets, is preparing to transition from its current Proof-of-Work (PoW) consensus mechanism to a Proof-of-Stake (PoS) system. This undertaking, often likened to changing an airplane’s engine mid-flight, demands continuous operation and the unwavering production of valid blocks.

Unlike many other prominent blockchains, such as Bitcoin, Ethereum’s development community, with the encouragement of the Ethereum Foundation (EF) and key figures within the ecosystem, has embraced a strategy of fostering multiple client software implementations. These clients, designed to adhere to the PoS protocol, are developed by distinct teams, often differentiated by their choice of programming language. This approach aims to enhance the network’s resilience by reducing the risk of a single point of failure stemming from vulnerabilities in one specific client.

The Merge: A Structural Evolution of Ethereum’s Network

The upcoming transition, colloquially known as "The Merge," signifies a pivotal integration between the existing Ethereum network nodes, which currently include miners, and the Beacon Chain, a PoS consensus layer that has been operational since December 2020. This merger will also redefine the roles of network nodes. Currently, nodes are responsible for both executing and validating transactions. Post-Merge, these duties will be bifurcated.

Post-Merge Node Architecture:

• Execution Nodes: These nodes will continue to interface with users and smart contracts via the Ethereum Virtual Machine (EVM). They will execute transactions and forward them to validator nodes for validation. Their primary function will largely remain the same as in the PoW era, with the crucial difference being that transaction validation will be offloaded to the consensus layer.
• Validator Nodes: These nodes, operating on the Beacon Chain, will assume the responsibility for validating transactions. They will stake ETH to participate in the consensus process, proposing and attesting to new blocks.

The clients for these two distinct roles share some codebase, particularly if developed in the same programming language. Execution clients, in particular, have undergone minor modifications to accommodate the Merge. Core components like the EVM remain largely reusable with minimal adjustments. It’s anticipated that execution clients may eventually shed code related to PoW chain validation as the network fully transitions.

The term "merge" itself is somewhat of a simplification. It’s not a direct amalgamation of two separate chains into one. Instead, at a predetermined block height, the current PoW nodes will cease their validation duties, which will then be exclusively handled by PoS validators. This strategic separation of responsibilities across different logical layers is a fundamental enhancement to the network’s robustness.

Client Diversity: A Double-Edged Sword for Network Security

The rationale behind developing multiple client software implementations is rooted in the principle of distributed security. A bug or vulnerability in one client should not have a cascading effect on the entire network if other clients are built on independent codebases and programming languages. This is a stark contrast to the Bitcoin network, where a simpler protocol and a more unified client base present a different risk profile. Ethereum’s inherent complexity, being an order of magnitude more intricate than Bitcoin, necessitates a more diversified approach to mitigate potential vulnerabilities.

The effectiveness of this client diversity strategy hinges on a balanced distribution of network participation. Ideally, no single client should control more than a third of the network’s total staking power. A critical threshold is identified at the 66% mark, also known as a "supermajority." If a client used by more than 66% of the staking power experiences a severe bug, the intended resilience of multiple clients is undermined.

Implications of Staking Power Distribution:

• Less than 33% Staking Power: A bug in a client with a minor share of staking power would have negligible impact. The network would continue to operate seamlessly, the bug would be addressed, and normalcy would be restored.
• Between 33% and 50% Staking Power: A bug in a client within this range would be more serious but likely manageable through automatic network mechanisms, with minimal user-noticeable disruption.
• More than 50% Staking Power: A critical bug affecting a client with over half of the staking power would trigger automatic mechanisms designed to mend the situation. However, this would inevitably lead to complications, network disturbances, and potential user impact.
• More than 66% Staking Power (Supermajority): This scenario represents the most significant risk. If a bug affects a client with a supermajority, it effectively grants that client absolute control. The network could either split into two separate Ethereums – one running the buggy client and the other the non-buggy ones – or the non-buggy clients would be compelled to adopt the buggy chain, thereby inheriting its compromised state.

The Prysm Predicament: Dominance and its Discontents

As of recent data, the Prysm client implementation, developed by Prysmatic Labs, commands a significant portion of the network’s staking power, hovering around 66%. This level of dominance, while not yet reaching the critical 66% threshold for a supermajority, presents a non-trivial risk. The possibility of a consensus failure due to an exploited bug within Prysm, though statistically unlikely, cannot be entirely discounted.

The broader Ethereum ecosystem comprises several other consensus clients, including Lighthouse, Teku, and Nimbus, alongside smaller players like Grandine and Loadstar. Notably, Grandine is the only client operating under a closed-source license, which raises transparency concerns for some observers.

The distribution of consensus clients at the time of reporting indicates Prysm’s substantial lead. While not exceeding the critical 66% mark, its significant share warrants close scrutiny. Resources like clientdiversity.org are vital for tracking these evolving metrics and understanding the network’s state of client distribution.

The Genesis of Prysm’s Dominance: A First-Mover Advantage

The question naturally arises: why has Prysm achieved such a dominant position? Marius van der Wijden, an Ethereum core developer working on the Geth (Golang Ethereum) Proof-of-Work client, offers several key insights.

"I think the big reasons for Prysm’s success are a first-mover advantage, tooling, and Golang," van der Wijden stated. "Prysm was the first prototype implementation of a beacon client. Thus they could start optimizing their client early on and they had more time to create additional tooling (e.g. the Web UI) and good documentation."

He further elaborated on the significance of the programming language: "Another big advantage is the programming language used by Prysm – Golang – which is reasonably performant and very easy to read and develop in. Go-ethereum is also written in Golang, thus devs familiar with Geth could also easily understand and audit Prysm."

The choice of Golang is particularly relevant when considering the execution layer, where client diversity is even more pronounced. Geth currently holds over 85% of the Proof-of-Work execution client market share. However, post-Merge, the role of execution nodes shifts, making this concentration less of a direct security concern for network consensus.

"Go-ethereum currently has a supermajority of 85% on the execution layer," van der Wijden noted. "It will be a bit better post-merge since stakers can run multiple execution layer clients, with one beacon client, in order to always end up on the correct chain."

Major Exchanges Fuel Prysm’s Ascendancy

The concentration of staking power on Prysm is significantly influenced by large staking service providers and pools. These entities aggregate smaller amounts of ETH from numerous users, enabling participation in staking without requiring the full 32 ETH deposit. The widespread adoption of Prysm by these major players is the primary driver behind the current client diversity imbalance.

Prominent among these are major cryptocurrency exchanges: Coinbase, Kraken, and Binance.

• Coinbase: With approximately 48,864 validators, representing 17.5% of the total, Coinbase runs Prysm on 92.4% of these validators. This single entity contributes roughly 24.3% to the Prysm dominance issue. In response to inquiries about client diversity, Coinbase Cloud pointed to a February 22nd tweet thread. The company cited security as the paramount reason for their initial reliance on Prysm, particularly its support for remote signers, which enhances the security of validator keys by storing them in isolated environments. Coinbase has also begun supporting Lighthouse and integrating remote signer capabilities with it.
• Kraken: Operating around 30,847 validators (11% of the total), Kraken utilizes Prysm for 94.9% of them, contributing approximately 15.7% to Prysm’s dominance. Brian Hoffman, Senior Product Manager at Kraken, indicated that Prysm was initially chosen for its maturity and stability. However, Kraken, in conjunction with Staked, has initiated the deployment of new validators using the Teku client and is migrating some existing ones to improve diversity and bolster their staking service resilience.
• Binance: With 24,410 validators (8.7%), Binance reports a 76.6% Prysm usage, contributing about 10% to the overall Prysm dominance. Binance did not respond to requests for comment.
• Lido: As the third-largest staking service, Lido commands a significant presence with 50,274 validators (18% of the total). While Lido’s Prysm usage is lower at 42.8%, its substantial validator count still results in an 11.5% contribution to Prysm’s dominance.

Decentralized Alternatives and the Path Forward

In contrast to the large centralized staking services, decentralized staking pools are demonstrating a more balanced client distribution.

• Rocket Pool: This decentralized staking pool operates with 2,100 validators (0.75% of the total) and uses Prysm for only 10.6% of its validators, contributing a mere 0.12% to Prysm’s dominance.

The collective actions of these major staking services and pools hold the key to mitigating the client diversity challenge. Encouragingly, discussions are underway between these entities and the Ethereum Foundation. Marius van der Wijden reports that these dialogues are progressing positively.

"Yes, there are talks about this, both internally and externally," van der Wijden confirmed. "I think big staking pools are working on switching parts of their infrastructure to other clients. They need to update their metrics and monitoring infrastructure for the new clients, so it might take longer for them to switch than home validators."

He also emphasized that switching client software is generally not a complex or risky undertaking for individual node operators. "All major implementations are pretty well tested and maintained. If a user is already staking, they should shut down and persist their slashing database, if they don’t have a slashing database, they should wait for a couple of minutes (> 7 minutes) between shutting down the old client and starting the new client. The only difficulties might arise for bigger stakers as some clients provide different APIs than others."

Navigating The Merge with Calculated Risk

With The Merge imminent, the Ethereum community will likely proceed with a client distribution that is less than ideal. The probability of Prysm’s dominance falling below the critical 33% threshold in the remaining months appears remote. However, this situation does not deter Marius van der Wijden and other core Ethereum developers from advancing the Merge.

"I think it’s safe to pursue," van der Wijden asserted. "The chances of a consensus failure happening are very small in my opinion. We have great testing and fuzzing infrastructure that runs permanently to find differences between clients. Even if a consensus failure occurs, we will be able to push out new releases and resolve forks quickly and easily."

He concluded with a firm stance on accountability: "We also have strong consensus that we will not bail out stakers that run a majority client if their clients misbehave." This indicates a commitment to the principles of decentralization and a clear message to large staking operators regarding the responsibilities that accompany significant network influence. The successful transition to Proof-of-Stake hinges not only on technical execution but also on the community’s collective ability to manage and mitigate emergent risks, even those as substantial as client concentration.