The Hidden Risks of Proof-of-Stake

Recently, an Ethereum user attempted to swap $733,000 USDC for USDT. Both assets are pegged to the dollar, but the user walked away with only $19,000.

No code failed. No security was breached. This is just how most blockchains actually work.

In traditional finance, this triggers an investigation. On Ethereum, it's a feature: the inevitable outcome of an adversarial environment known as Maximal Extractable Value (MEV).

This incident wasn’t random; it was a direct result of execution order tampering by Ethereum validators. Before issuing assets on any public blockchain, ask two questions:

1. Who controls transaction inclusion and ordering?
2. What’s your remedy when they misbehave?

If you can’t answer those clearly, you don’t have “decentralized security.” You have outsourced critical market structure to anonymous operators with misaligned incentives.

In Part 1 of this series, we examined decentralization myths in Proof-of-Stake (PoS) systems and showed how control tends to concentrate around large capital holders. Here, we discuss why two features often sold as strengths, “economic security” and “financial incentives,” can become operational liabilities. We will contrast this with the Stellar Consensus Protocol (SCP), a model designed for issuers who require explicit trust, clear accountability, and designed to mitigate systemic risks that arise in adversarial economic environments.

In practice, leaders routinely prioritize specific trades, delay others, insert their own transactions ahead of others to capitalize on price movements, or even auction off leadership rights to third parties. This creates a structural conflict of interest: the entity responsible for ordering is simultaneously incentivized to monetize that ordering.

Crucially, PoS protocols impose no fairness obligation on leaders, only basic validity checks. A block that front-runs every user in it is perfectly "valid."

Let’s look closer at the $733,000 swap mentioned in the introduction.

When that user traded USDC for USDT (two assets of equal value) the massive loss wasn't a bug, but a sophisticated extraction.

An automated bot spotted the pending transaction and "sandwiched" it, draining all USDT liquidity just before the user’s trade executed to force a catastrophic exchange rate. But the critical failure wasn't the bot; it was the network validator. The bot successfully bribed the leader with a "tip" to process its predatory transaction first before the victim’s. While some analysts have speculated this transaction intentionally set high slippage tolerance, the mechanics of the extraction are the same: a validator accepted a bribe to facilitate the sandwich.

This is Maximal Extractable Value (MEV): the profit a validator extracts by reordering, inserting, or censoring transactions within a block. In this instance, the entity responsible for securing the network explicitly accepted a payment to facilitate massive user loss, transforming the blockchain from a neutral utility into a pay-to-play marketplace where extraction is structurally incentivized.

To understand the severity, imagine if the New York Stock Exchange (NYSE) traded against its own customers.

Picture the NYSE seeing your buy order, buying the stock first, and then selling it to you at a higher price. This isn't like high-frequency trading where competitors use technology to race against each other. The house is playing against the traders with zero risk and guaranteed profit. In regulated markets, this type of conduct would likely violate front-running and best execution rules. In PoS blockchains, it is a standardized revenue stream.

While the PoS ecosystem has proposed MEV mitigation strategies, such as private mempools or order flow auctions, these are band-aids that undermine the core promise of decentralization. To avoid public front-running, users are forced to trust off-chain intermediaries to process their transactions. This reintroduces central points of failure, and often, these intermediaries still participate in other forms of extraction.

The choice is clear: you can build on a network where the security model encourages predatory arbitrage, or you can choose a network where trust and authority are explicit, not merely inherited by whoever accumulates the most stake.

Regulated issuers don’t need a network that’s secure in theory and adversarial in practice. They need infrastructure where trust is explicit, accountability is clear, and bad actors can be removed without network disruption.

The Stellar network was designed for exactly this use case. There's no staking, no protocol yield tied to block production, and no requirement to trust anonymous validators simply because they've posted the most collateral.

Choose Your Validators

On PoS networks, trust is anonymous and assigned. The issuer must implicitly trust whatever validator set controls a supermajority of stake. You do not get to choose or opt out of that set. If that group starts running aggressive MEV strategies, prioritizing certain transactions, or even censoring your transactions, there is no recourse. You must either spend billions for enough stake to out vote them or leave the chain.

On the Stellar Network, trust is transparent and chosen. Stellar reaches consensus using the fundamentally different Stellar Consensus Protocol (SCP), not Proof-of-Work, Proof-of-Stake, or any of their derivatives. The primary difference is governance and transparency.

In SCP, trust is explicit: each validator chooses which other validators it will treat as trusted participants. “Who has authority” is not a side effect of token distribution, but an explicit, reviewable configuration. For an asset issuer, that can mean trusting validators operated by your own organization, infrastructure providers you have contractual agreements with, or regulated financial institutions. Stellar is still open and permissionless, and there is no centralized list of who is trustworthy. Rather, each validator independently chooses their own trusted set. That’s the power of SCP: while trust is locally configurable, the result is still a connected public network.

What this means in practice: if a validator becomes unreliable or starts behaving poorly (downtime, censorship, MEV front-running), other validators can remove trust from that node at any time with a simple configuration change. If a single node removes their trust, is the problematic node immediately removed? No. But as more nodes remove trust, the unreliable validator’s authority (and its ability to front-run) goes to zero. Unlike PoS, this process does not require a fork, synchronized coordination, or buying more stake. SCP gives the power to individual validators, where many local, independent decisions influence the global network. To do the same on PoS? A super majority of stake would have to write a software update, unanimously decide on which validators to remove, and synchronize the exact upgrade time, all of which is almost impossible in practice for a decentralized system.

No Yield, No Extraction

The Stellar network provides no monetary rewards for validators. Fees don't flow to block producers, so there's no incentive to inflate costs. Transaction ordering is randomized, which significantly reduces MEV opportunities.

This raises an obvious question for those familiar with PoS economics: why would anyone run a validator without financial incentive?

On the Stellar network, validating is not a yield strategy. It’s a risk-management and operational-resilience tool. Businesses run validators because their assets depend on reliable settlement. The “return” they get is independent verification of finality, reduced dependency on third parties, and a clear chain of accountability for transaction ordering and execution.

This shapes who actually validates. On PoS networks, the validator set is anonymous, but skews toward yield-generating staking pools, MEV extraction operations, and high-frequency trading firms. These are economically rational actors seeking profit, which means optimizing for extraction, not for security.

On the Stellar network validators are always known entities, typically including issuers, anchors, exchanges, wallets, and infrastructure providers. Franklin Templeton runs validators to secure over $650 million of tokenized funds. The startup Script3 validates to protect $80 million in its lending protocol. These businesses validate to secure their on-chain assets with no capital lockup required. If an institution wanted equivalent influence on Ethereum or Solana, they would need to stake billions of USD.

Trade-offs and Limitations

SCP doesn’t pretend trust disappears “into the code.” It forces trust to be explicit, reviewable, and revocable. This comes with trade-offs:

Fewer validators. The Stellar network doesn't pay validators, so typical profit-seeking operators are not interested. However, those who do participate prioritize operational reliability over extraction. Validator count is often a vanity metric. PoS networks can have thousands of nodes yet remain centralized around a few powerful high-stake entities.

Reputation-gated influence. Running a validator is permissionless, but influence requires others to include you in their trusted sets. PoS has a financial barrier instead: meaningful influence requires billions in stake. Both have a gated barrier to entry, just different selection criteria.

Attribution cuts both ways. Misbehaving validators can be identified, revoked on-chain, and pursued off-chain. But identifiability also means operators can be pressured by regulators or counterparties. This is an advantage for most institutional use cases, but might be considered a constraint for censorship-resistance maximalists.

What isn't a limitation: the presence of trust. Both PoS and SCP require trust. The difference is where trust lives. PoS embeds trust in token-weighted control and opaque incentives. SCP makes it explicit governance: trust who you choose, revoke them when they fail. Issuers can't eliminate trust, but can choose whether it's implicit and hard to revoke, or explicit and actionable.