By Sander Lutz
7 min read
It’s been awaited for half a decade, delayed for years, praised, condemned, tweaked, and so its developers say, perfected.
Ready or not, here comes Ethereum’s long-anticipated merge. But, given the technical feat that it is, is there any risk of something going terribly wrong?
The merge—Ethereum’s transition from a proof-of-work system to proof of stake—is set to occur between September 10 and September 20. During this historic upgrade to the second-largest cryptocurrency by market cap, upon which well over half of all decentralized finance activity is built, could your funds and NFTs go missing, or your favorite apps stop working?
Developers say there’s nothing to worry about—they’re confident the merge will have no impact on asset security or app functionality. But confusion surrounding the event could spike instances of scammers manipulating uninformed users, and, looking to the months and years to come, the implications of the merge could well have long-term political and even legal ramifications.
One rumored merge-related risk that has gained particular traction in recent weeks pertains to so-called replay attacks.
Because a campaign has emerged to fork, or split, Ethereum and preserve an alternative, proof-of-work version of the network, there exists a likelihood that all digital assets currently built on will be duplicated come the merge. The “real” versions of NFTs and stablecoins will exist on the post-merge, proof-of-stake Ethereum network, but copies of those assets will also exist on the new, forked proof-of-work network, if it materializes.
Those copies will likely be worth far less than their legitimate counterparts on the Ethereum network, but the owners of these assets could still be tempted to sell these surplus tokens for some meager payday.
A replay attack, however, could see bad actors duplicate these transactions in a manner that would allow them to steal the real, much more valuable version of the asset on the real Ethereum blockchain. Just after the relatively worthless “copied” asset is sold on the forked chain, a hacker could, theoretically, replicate that transaction on Ethereum and fool the blockchain by making a seemingly real record of a fake transaction.
Such an attack, though, could only ever occur if both the “real” asset on the Ethereum blockchain and the “copied” asset on the forked chain, possessed the same chain ID. And no viable forks of Ethereum plan to copy Ethereum’s chain IDs for exactly this reason.
Chandler Guo, the founder of ETHPoW—by far the most prominent campaign to fork Ethereum during the merge—confirmed to Decrypt that his proposed network would change all chain IDs on its blockchain to prevent such attacks.
“There will be no problem with replay attacks,” said Ethereum core developer Marius Van Der Wijden to Decrypt.
That doesn’t eliminate the possibility, though, that scammers could prey upon users uncertain of which asset—real or copied—they’re actually selling.
“[A scammer could] say ‘hey, you have money on this chain, go dump it and sell it to us. And we will give you lots of money,’” said Van Der Wijden. “And in reality, you're doing a transaction on the mainnet, and you’re selling your mainnet Ether. If you're uneducated, and trying something new, then you might run into these scammers,” he said.
For that reason, Terence Tsao, another Ethereum core developer, has only one urgent piece of advice for users concerned about such scenarios:
“My only advice is do nothing,” he told Decrypt.
The merge will take about 12 minutes to complete, and during that time numerous major crypto exchanges have announced that they plan to pause deposits and withdrawals for Ethereum and Ethereum-based tokens. This is completely normal, and user funds won’t be at any increased risk during that time.
“There will be no funds at risk,” said Van Der Wijden. “I myself wouldn't send, like, $100 million during those 12 minutes. But 12 minutes after, the chain finalizes. Then everything should be fine. Then we can start celebrating.”
During those 12 minutes, around 150 Ethereum developers will be on high alert, scouring the merge’s software for any bugs. Those bugs would be quickly remedied if discovered, and would not affect the security of users’ assets, only the speed of transactions.
In a worst case scenario, such bugs could lead to transaction delays of “five to ten minutes at the most,” said Tsao. “But once it's going smoothly, it’s just going to be going smoothly.”
While technical risks may be a relative non-issue, long-term political and legal issues raised by the merge cannot be so easily dismissed. Ethereum is set to undergo a radical change, and the implications of that transformation may not be immediately apparent—but it all comes down to how new ETH will be issued and who will now have the most sway on the network.
By transitioning Ethereum from proof of work to proof of stake, the merge will change the way new ETH is created. At the moment, new ETH is generated via the energy-intensive process of “mining,” in which individuals direct huge amounts of computer power at difficult-to-solve puzzles and are rewarded with blocks of new ETH. But post-merge, new ETH will be generated by “staking.” Stakers pledge large amounts of already-existing ETH to create and earn new ETH.
Mining required specialized hardware and access to loads of electricity; staking requires access to capital. For that reason, most major crypto exchanges have lined up to participate in staking ETH. Some, like Coinbase, have explicitly stated that they’re betting their future on staking services. The move makes sense; the more capital an entity pledges, the greater the yield. An exchange like Coinbase, by pledging users’ ETH, stands to proportionally accrue far more than an individual staker.
Large, centralized firms have already provided over 66% of all staked ETH, according to data compiled in a Dune Analytics dashboard, as well as data from research firm Nansen. That means that companies like Lido, Coinbase, Kraken, and Binance will be responsible for validating the lion’s share of transactions on the Ethereum network after the merge.
And within a crypto ecosystem that places a high value on decentralization and privacy, that fact isn’t sitting well with many people.
#Ethereum is officially transitioning to a centralized blockchain on 15 September (the merge). 👇
I got proof. Four entities hold 60% of the network:
🔹 Lido – 31%
🔹 Coinbase – 14.7%
🔹 Kraken – 8.4%
🔹 Binance – 6.7%
✅ TOTAL: 60.8%
Does anyone think this is NOT an issue? pic.twitter.com/o3128tseOl
— Duo Nine | YCC (@DU09BTC) August 17, 2022
But beyond theoretical disputes about the role centralized corporations should play in operating the mechanisms underlying most of decentralized finance, very real tests of that relationship may soon emerge.
When the U.S. Treasury Department sanctioned the privacy-enhancing crypto mixing tool Tornado Cash last month, it blacklisted a number of wallet addresses associated with the product, effectively declaring any cooperation with these addresses a crime tantamount to aiding the North Korean government.
The event spurred myriad implications; for example, would someone validating a block of Ethereum transactions that includes one from a blacklisted address be guilty of a crime?
With the majority of Ethereum transactions to soon be validated by a handful of large companies with major presences in the United States, this tension could soon come to a head. Coinbase’s CEO recently stated that if forced to censor blocks, he’d take his company out of the staking business. But other companies may not be so open to readily shutting down such a lucrative opportunity.
Ethereum core developers, meanwhile, have been adamant in their opposition to validators censoring any Ethereum transactions.
fwiw I voted X in your above poll
— vitalik.eth (@VitalikButerin) August 15, 2022
“We'll be monitoring these companies to see how they are behaving,” said Ethereum core developer Tsao. “If they behave maliciously, we can forcefully eject them through social governance.”
Tsao elaborated that censoring blocks would be considered malicious activity by Ethereum’s core developers.
But many questions still abound. What happens when the Ethereum network boots entities responsible for validating the majority of Ethereum transactions? Could it lead to another contentious fork—a split between a corporate, compliant ETH and a censorship-resistant ETH? And what happens to the ETH that users staked via an exchange if that exchange is penalized or banned from staking?
“That's hard to say, I don't know,” said Tsao. “This is a very complicated question.”
Billions of dollars may rest on the answer.