system in the hands of ghash.io. The very security of a proof-of-work scheme rests on this actual cost being higher than what an attacker is willing to pay, which is bound to increase with the success of the currency. Proof-of-stake eliminates this source of waste without lowering the cost of attacks —indeed, it automatically scales up the cost of an attack as the currency appreciates. Because the thing you must prove to mine is not destruction of existing resources but provision of existing resources, a proof-of-stake currency does not rely on destroying massive resources as it gains in popularity. 1.2.4 Control Last but not least, the proof-of-work system puts the miners, not the stake- holders, in charge. Forks for instance require the consent of a majority of the miners. This poses a potential conflict of interest: a majority of miners could de- cide to hold the blockchain hostage until stakeholders consent to a protocol fork increasing the mining rewards; more generally, they will hold onto the hugely wasteful system that empowers them longer than is economically beneficial for users. 1.3 Smart Contracts Though Bitcoin does allow for smart contracts, most of its opcodes have been historically disabled and the possibilities are limited. Ethereum introduced a smart contract system with some critical differences: their scripting language is Turing complete and they substitute stateful accounts to Bitcoin’s unspent outputs. While emphasis has been put on the Turing complete aspect of the language, the second property is by far the most interesting and powerful of the two. In Bitcoin, an output can be thought of as having only two states: spent and unspent. In Ethereum, accounts (protected by a key) hold a balance, a contract code and a data store. The state of an account’s storage can be mutated by makingatransaction towards this account. The transaction specifies an amount and the parameters passed to the contract code. Adownside of a Turing complete scripting language for the contracts is that the number of steps needed to execute a script is potentially unbounded, a property which is generally uncomputable. Toaddress this problem, Ethereum has devised a system by which the miner validating the transaction requires a fee proportional to the complexity and number of steps needed to execute the contract. Yet, for the blockchain to be secure, all the active nodes need to validate the transaction. A malicious miner could include in his block a transaction that he crafted specially to run into an infinite loop and pay himself an exorbitant fee for validating this transaction. Other miners could waste a very long time validating this transaction. Worse, they could just slack and fail to validate it. 8