Ethereum:A Next-Generation Smart Contract and Decentralized Application Platform


(一)、对比特币及现有概念的介绍(Introduction to Bitcoin and Existing Concepts)

Satoshi Nakamoto’s development of Bitcoin in 2009 has often been hailed as a radical development in money and currency, being the first example of a digital asset which simultaneously has no backing or “intrinsic value” and no centralized issuer or controller. However, another - arguably more important - part of the Bitcoin experiment is the underlying blockchain technology as a tool of distributed consensus, and attention is rapidly starting to shift to this other aspect of Bitcoin. Commonly cited alternative applications of blockchain technology include using on-blockchain digital assets to represent custom currencies and financial instruments (“colored coins”), the ownership of an underlying physical device (“smart property”), non-fungible assets such as domain names (“Namecoin”), as well as more complex applications involving having digital assets being directly controlled by a piece of code implementing arbitrary rules (“smart contracts”) or even blockchain-based “decentralized autonomous organizations” (DAOs). What Ethereum intends to provide is a blockchain with a built-in fully fledged Turing-complete programming language that can be used to create “contracts” that can be used to encode arbitrary state transition functions, allowing users to create any of the systems described above, as well as many others that we have not yet imagined, simply by writing up the logic in a few lines of code.

2009年中本聪开发出比特币,经常被人们誉为货币的激进式发展,因为比特币是第一个同时没有支持和“内在价值”,也没有集中发行人或控制者的数字资产。然而,比特币实验的另一部分 —— 可以说是更加重要的部分——是作为分布式共识工具的底层区块链技术,关注正在迅速转移到比特币的其他方面。通常被引用的区块链技术的替代应用包括:使用区块链数字资产来表示自定义货币和金融工具(“彩色硬币”),基础物理设备(“智能财产”)的所有权,不可替代资产(如域名币“Namecoin”)以及更复杂的应用程序,其中涉及通过实施任意规则的一段代码(“智能合约”)甚至基于区块链的“分布式自治组织”(DAO)直接控制数字资产。以太坊计划提供的区块链是一种内置的完全成熟的图灵完备的编程语言,可用于创建编码任意状态转换功能的“合同”,允许用户创建上述任何系统,还有其他许多我们还没有想象到的,仅仅通过在几行代码中编写逻辑就可以实现。


The concept of decentralized digital currency, as well as alternative applications like property registries, has been around for decades. The anonymous e-cash protocols of the 1980s and the 1990s, mostly reliant on a cryptographic primitive known as Chaumian blinding, provided a currency with a high degree of privacy, but the protocols largely failed to gain traction because of their reliance on a centralized intermediary. In 1998, Wei Dai’s b-money became the first proposal to introduce the idea of creating money through solving computational puzzles as well as decentralized consensus, but the proposal was scant on details as to how decentralized consensus could actually be implemented. In 2005, Hal Finney introduced a concept of “reusable proofs of work”, a system which uses ideas from b-money together with Adam Back’s computationally difficult Hashcash puzzles to create a concept for a cryptocurrency, but once again fell short of the ideal by relying on trusted computing as a backend. In 2009, a decentralized currency was for the first time implemented in practice by Satoshi Nakamoto, combining established primitives for managing ownership through public key cryptography with a consensus algorithm for keeping track of who owns coins, known as “proof of work”.

分布式数字货币的概念以及财产登记等替代应用已经存在数十年了。二十世纪八十年代和九十年代的匿名电子现金协议,主要依赖于一种被称为Chaumian blinding的密码原语,它提供了一种高度隐私的货币,但由于其过于依赖一种集中式中介而未能被广泛接受。 1998年, Wei Dai 的B-money成为第一个提出通过解决数学难题和分布式共识来创造货币的提案,但是该提案没有提供关于如何实现分布式共识的细节。 2005年,Hal Finney引入了一种“可重复使用的工作量证明”的概念,该系统使用B-money的想法和Adam Back计算困难的哈希现金难题创造了一个加密货币概念,但由于需要依赖可信的后端计算而再一次没有实现。 2009年,中本聪首次实施了分布式货币,通过公钥密码体制来管理所有权与共识算法追踪谁拥有货币相结合,这一算法称为“工作l量证明”。

The mechanism behind proof of work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing sybil attacks. It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called proof of stake, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency.

工作量证明背后的机制是这一领域的的突破,因为它同时解决了两个问题。首先,它提供了一个简单而适度有效的共识算法,允许网络中的节点共同商定对比特币账本状态的一组规范更新。其次,它提供了允许自由进入共识流程的机制,解决了由谁来影响共识的政治问题,同时防止sybil攻击。它通过用经济壁垒来取代正式的参与壁垒,正式的参与壁垒如要求在特定列表上登记为独特的实体,而经济障碍则是 - 共识投票过程中单个节点的权重与该节点带来的计算能力成正比。此后,有人提出了一种替代方法,称为股权证明,它计算一个节点的权重的方式是与其货币持有量成正比,而不是计算资源;对这两种方法相对优点的讨论超出了本文的范围,但应该指出,这两种方法都可以用作加密货币的核心支撑。

2、作为状态转换系统的比特币(Bitcoin As A State Transition System)

Bitcoin As A State Transition System

From a technical standpoint, the ledger of a cryptocurrency such as Bitcoin can be thought of as a state transition system, where there is a “state” consisting of the ownership status of all existing bitcoins and a “state transition function” that takes a state and a transaction and outputs a new state which is the result. In a standard banking system, for example, the state is a balance sheet, a transaction is a request to move $X from A to B, and the state transition function reduces the value in A’s account by $X and increases the value in B’s account by $X. If A’s account has less than $X in the first place, the state transition function returns an error. Hence, one can formally define:

从技术的角度来看,像比特币这样的加密货币账本可以被认为是一种状态转换系统,其中存在一个由所有现有比特币的所有权状态组成的“状态”和一个状态转换功能,它输入一个状态和一个交易,输出一个新状态作为结果。 例如,在标准的银行系统中,状态是资产负债表,交易是将¥X从A移动到B的请求,状态转换功能将A的账户中的值减少¥X,并增加B帐户的值¥X。 如果A的账户首先少于¥X,则状态转换函数返回一个错误。 因此,人们可以正式定义:


In the banking system defined above:


APPLY({ Alice: $50, Bob: $50 },"send $20 from Alice to Bob") = { Alice: $30, Bob: $70 }



APPLY({ Alice: $50, Bob: $50 },"send $70 from Alice to Bob") = ERROR

The “state” in Bitcoin is the collection of all coins (technically, “unspent transaction outputs” or UTXO) that have been minted and not yet spent, with each UTXO having a denomination and an owner (defined by a 20-byte address which is essentially a cryptographic public key[1]). A transaction contains one or more inputs, with each input containing a reference to an existing UTXO and a cryptographic signature produced by the private key associated with the owner’s address, and one or more outputs, with each output containing a new UTXO to be added to the state.

比特币中的“状态”是已经产生和尚未用完的所有货币(技术上说是“未使用的交易输出”或UTXO)的集合,每个UTXO有一个面额和一个拥有者(由20字节地址定义) 本质上是一个密码公钥(译者注:实际与密码公钥还是有很大差别的,严格说,也该是公钥的两次hash))。 交易包含一个或多个输入,每个输入包含对现有UTXO的引用和由与所有者地址关联的私钥生成的加密签名,以及一个或多个输出,每个输出包含要添加新UTXO到状态中去。

The state transition function APPLY(S,TX) -> S’ can be defined roughly as follows:
For each input in TX:
If the referenced UTXO is not in S, return an error.
If the provided signature does not match the of the UTXO, return an error.
If the sum of the denominations of all input UTXO is less than the sum of the denominations of all output UTXO, return an error.
Return S’ with all input UTXO removed and all output UTXO added.

状态转换函数 APPLY(S,TX) -> S’ 可以粗略的定义如下:

The first half of the first step prevents transaction senders from spending coins that do not exist, the second half of the first step prevents transaction senders from spending other people’s coins, and the second step enforces conservation of value. In order to use this for payment, the protocol is as follows. Suppose Alice wants to send 11.7 BTC to Bob. First, Alice will look for a set of available UTXO that she owns that totals up to at least 11.7 BTC. Realistically, Alice will not be able to get exactly 11.7 BTC; say that the smallest she can get is 6+4+2=12. She then creates a transaction with those three inputs and two outputs. The first output will be 11.7 BTC with Bob’s address as its owner, and the second output will be the remaining 0.3 BTC “change”, with the owner being Alice herself.

第一步的前半部分阻止交易发送人花费不存在的比特币,第一步的第二部分阻止交易送人花费其他人的比特币,同时第二步执行价值守恒。 为了使用这个付款,协议如下。 假设Alice想要将11.7 BTC发送给Bob。 首先,Alice将寻找一套她拥有的可用UTXO,总计至少为11.7 BTC。 实际上,Alice将无法准确获得11.7 BTC; 就说她能得到的接近的组合是6 + 4 + 2 = 12。 然后,她用这三个输入和两个输出创建一个交易。 第一个输出11.7 BTC到Bob所有的的地址,第二个输出将是余下的0.3 BTC“找零”,其拥有者是Alice本人。



If we had access to a trustworthy centralized service, this system would be trivial to implement; it could simply be coded exactly as described, using a centralized server’s hard drive to keep track of the state. However, with Bitcoin we are trying to build a decentralized currency system, so we will need to combine the state transaction system with a consensus system in order to ensure that everyone agrees on the order of transactions. Bitcoin’s decentralized consensus process requires nodes in the network to continuously attempt to produce packages of transactions called “blocks”. The network is intended to produce roughly one block every ten minutes, with each block containing a timestamp, a nonce, a reference to (ie. hash of) the previous block and a list of all of the transactions that have taken place since the previous block. Over time, this creates a persistent, ever-growing, “blockchain” that constantly updates to represent the latest state of the Bitcoin ledger.

如果我们能够获得值得信赖的集中式服务,这个系统将很容易实施; 它可以完全按照描述进行编码,使用中央服务器的硬盘来跟踪状态。 但是,对于比特币,我们正在试图建立一个分布式的货币体系,所以我们需要将状态交易体系与共识体系结合起来,以确保每个人都对交易顺序达成一致。 比特币的分布式共识流程要求网络中的节点不断尝试生成称为“块”的交易包。 网络每10分钟产生一个块,每个块包含一个时间戳,一个随机数,一个前一个块的引用(即散列)和一个自上一次块产生以来发生的所有交易的列表。 随着时间的推移,这会创建一个持续、不断增长的“区块链”,它的不断更新是为了代表最新的比特币账本的状态。

The algorithm for checking if a block is valid, expressed in this paradigm, is as follows:
Check if the previous block referenced by the block exists and is valid.
Check that the timestamp of the block is greater than that of the previous block[2] and less than 2 hours into the future
Check that the proof of work on the block is valid.
Let S[0] be the state at the end of the previous block.
Suppose TX is the block’s transaction list with n transactions. For all i in 0…n-1, set S[i+1] = APPLY(S[i],TX[i]) If any application returns an error, exit and return false.
Return true, and register S[n] as the state at the end of block.

假设 TX 是区块中 n 个交易的交易列表,因为所有的 i 都在 0…n-1 中, 让 S[i+1] = APPLY(S[i],TX[i]) ,如果程序返回错误,则退出并返回失败。
如果返回正确,纳闷注册 S[n] 作为当前区块末尾的状态。

Essentially, each transaction in the block must provide a valid state transition from what was the canonical state before the transaction was executed to some new state. Note that the state is not encoded in the block in any way; it is purely an abstraction to be remembered by the validating node and can only be (securely) computed for any block by starting from the genesis state and sequentially applying every transaction in every block. Additionally, note that the order in which the miner includes transactions into the block matters; if there are two transactions A and B in a block such that B spends a UTXO created by A, then the block will be valid if A comes before B but not otherwise.

本质上,块中的每个交易必须提供从事务执行前的规范状态到新状态的有效状态转换。 请注意,状态不以任何方式编码在块中; 状态仅仅是一个被验证节点记住的抽象概念,任何区块的状态,都可以从创始状态开始,按次序加入每个块中的每一笔交易后,被(安全地)计算出来。 此外,请注意矿工处理将交易包含进区块的顺序; 如果块中有两个交易A和B,B花费由A创建的UTXO,如果A在B之前,则该块将是有效的,否则不是。

The one validity condition present in the above list that is not found in other systems is the requirement for “proof of work”. The precise condition is that the double-SHA256 hash of every block, treated as a 256-bit number, must be less than a dynamically adjusted target, which as of the time of this writing is approximately 2187. The purpose of this is to make block creation computationally “hard”, thereby preventing sybil attackers from remaking the entire blockchain in their favor. Because SHA256 is designed to be a completely unpredictable pseudorandom function, the only way to create a valid block is simply trial and error, repeatedly incrementing the nonce and seeing if the new hash matches.

在上述列表中出现的,在其他系统没有发现的有效性条件,是对“工作证明”的要求。 确切的条件是,每个区块的双-SHA256散列值(被视为256位数)必须小于一个动态调整的目标,截至本文写作时约为2^187。这样做的目的是为了让创建区块变得“困难”,从而防止sybil攻击者为了私利而重建整个区块链。 因为SHA256被设计为一个完全不可预知的伪随机函数,所以创建一个有效区块的唯一方法是简单的反复尝试,不断增加随机数的值并查看新的哈希值是否匹配。

At the current target of ~2187, the network must make an average of ~269 tries before a valid block is found; in general, the target is recalibrated by the network every 2016 blocks so that on average a new block is produced by some node in the network every ten minutes. In order to compensate miners for this computational work, the miner of every block is entitled to include a transaction giving themselves 12.5 BTC out of nowhere. Additionally, if any transaction has a higher total denomination in its inputs than in its outputs, the difference also goes to the miner as a “transaction fee”. Incidentally, this is also the only mechanism by which BTC are issued; the genesis state contained no coins at all.

如果当前的目标值是在2187之下,网络发现有效块之前必须平均进行269次尝试; 一般而言,网络每产生2016个区块后会重新校准目标值,以保证平均每10分钟由网络中的某个节点产生一个新区块。 为了补偿矿工们的计算工作,每个发现区块的矿工有权包含一笔给自己12.5比特币(不要问哪里来的)的交易进区块(译注:这就是所谓的每个区块里面的第一个交易,coinbase交易,最开始奖励是25个比特币,每4年减半,以太坊白皮书推出时已经第一次减半)。 此外,如果任何交易在其输入总额高于其输出,则差额也作为“交易费”交给矿工。 顺便说一句,这也是BTC发行的唯一机制; 创始状态根本没有比特币。

In order to better understand the purpose of mining, let us examine what happens in the event of a malicious attacker. Since Bitcoin’s underlying cryptography is known to be secure, the attacker will target the one part of the Bitcoin system that is not protected by cryptography directly: the order of transactions. The attacker’s strategy is simple:
Send 100 BTC to a merchant in exchange for some product (preferably a rapid-delivery digital good).
Wait for the delivery of the product.
Produce another transaction sending the same 100 BTC to himself.
Try to convince the network that his transaction to himself was the one that came first.

为了更好地理解挖矿的的目的,让我们来看看在发生恶意攻击时会发生什么。 由于比特币的基础密码学是安全的,因此攻击者将瞄准比特币系统中不受密码学直接保护的部分:交易顺序。 攻击者的策略很简单:

Once step (1) has taken place, after a few minutes some miner will include the transaction in a block, say block number 270000. After about one hour, five more blocks will have been added to the chain after that block, with each of those blocks indirectly pointing to the transaction and thus “confirming” it. At this point, the merchant will accept the payment as finalized and deliver the product; since we are assuming this is a digital good, delivery is instant. Now, the attacker creates another transaction sending the 100 BTC to himself. If the attacker simply releases it into the wild, the transaction will not be processed; miners will attempt to run APPLY(S,TX) and notice that TXconsumes a UTXO which is no longer in the state. So instead, the attacker creates a “fork” of the blockchain, starting by mining another version of block 270000 pointing to the same block 269999 as a parent but with the new transaction in place of the old one. Because the block data is different, this requires redoing the proof of work. Furthermore, the attacker’s new version of block 270000 has a different hash, so the original blocks 270001 to 270005 do not “point” to it; thus, the original chain and the attacker’s new chain are completely separate. The rule is that in a fork the longest blockchain is taken to be the truth, and so legitimate miners will work on the 270005 chain while the attacker alone is working on the 270000 chain. In order for the attacker to make his blockchain the longest, he would need to have more computational power than the rest of the network combined in order to catch up (hence, “51% attack”).


4、默克尔树(Merkle Trees)

Merkle Trees

Left: it suffices to present only a small number of nodes in a Merkle tree to give a proof of the validity of a branch.


Right: any attempt to change any part of the Merkle tree will eventually lead to an inconsistency somewhere up the chain.


An important scalability feature of Bitcoin is that the block is stored in a multi-level data structure. The “hash” of a block is actually only the hash of the block header, a roughly 200-byte piece of data that contains the timestamp, nonce, previous block hash and the root hash of a data structure called the Merkle tree storing all transactions in the block. A Merkle tree is a type of binary tree, composed of a set of nodes with a large number of leaf nodes at the bottom of the tree containing the underlying data, a set of intermediate nodes where each node is the hash of its two children, and finally a single root node, also formed from the hash of its two children, representing the “top” of the tree. The purpose of the Merkle tree is to allow the data in a block to be delivered piecemeal: a node can download only the header of a block from one source, the small part of the tree relevant to them from another source, and still be assured that all of the data is correct. The reason why this works is that hashes propagate upward: if a malicious user attempts to swap in a fake transaction into the bottom of a Merkle tree, this change will cause a change in the node above, and then a change in the node above that, finally changing the root of the tree and therefore the hash of the block, causing the protocol to register it as a completely different block (almost certainly with an invalid proof of work).

比特币的一个重要的可扩展性特征是,区块存储在多层级数据结构中。区块的“散列”实际上只是块头的散列,一个大致200字节的数据块,包含时间戳,随机数,先前区块散列和称为Merkle树的数据结构的根散列,这个Merkle树中存储了所有交易。 Merkle树是一种二叉树,由一组节点组成,其中包含底层数据的树的底部有大量的叶节点,一组中间节点,其中每个节点是其两个子节点的散列,最后是一个单一的根节点,也是由它的两个子节点的散列形成的,代表树的“顶部”。 Merkle树的目的是允许块中的数据零散传递:一个节点可以只从一个源下载块的头部,从另一个源下载与此相关的树的小部分,并且依然可以确信所有数据都是正确的。之所以这样做,是因为哈希会向上传播:如果恶意用户试图将虚假交易替换到Merkle树的底部,则此更改将导致其上的节点发生更改,然后改变的是这个节点上面的节点,最后改变树的根,因此改变区块的散列值,导致协议将它标示为完全不同的块(几乎肯定带有无效的工作量证明)。

The Merkle tree protocol is arguably essential to long-term sustainability. A “full node” in the Bitcoin network, one that stores and processes the entirety of every block, takes up about 15 GB of disk space in the Bitcoin network as of April 2014, and is growing by over a gigabyte per month. Currently, this is viable for some desktop computers and not phones, and later on in the future only businesses and hobbyists will be able to participate. A protocol known as “simplified payment verification” (SPV) allows for another class of nodes to exist, called “light nodes”, which download the block headers, verify the proof of work on the block headers, and then download only the “branches” associated with transactions that are relevant to them. This allows light nodes to determine with a strong guarantee of security what the status of any Bitcoin transaction, and their current balance, is while downloading only a very small portion of the entire blockchain.

Merkle树协议,对于长期可持续性来说可能是必不可少的。 比特币网络中的一个“完整节点”,一个用于存储和处理所有区块整体的网络,截至2014年4月,占用大约15 GB的磁盘空间,并且每月增长超过千兆字节。 目前,这对于一些台式计算机是可行的,但是手机不行,并且以后只有企业和爱好者才能参与。 被称为“简化支付验证”(SPV)的协议允许存在另一类节点,称为“轻节点”,其下载区块头部,验证区块头部的工作量证明,然后仅下载与他们的交易相关联的“分支”。 这使得轻型节点只需下载整个区块链很小的部分,就可以安全的确定任一比特币交易状态和他们的账户余额安全。

5、其他区块链应用(Alternative Blockchain Applications)

The idea of taking the underlying blockchain idea and applying it to other concepts also has a long history. In 2005, Nick Szabo came out with the concept of “secure property titles with owner authority”, a document describing how “new advances in replicated database technology” will allow for a blockchain-based system for storing a registry of who owns what land, creating an elaborate framework including concepts such as homesteading, adverse possession and Georgian land tax. However, there was unfortunately no effective replicated database system available at the time, and so the protocol was never implemented in practice. After 2009, however, once Bitcoin’s decentralized consensus was developed a number of alternative applications rapidly began to emerge.

将底层区块链想法应用于其他领域的想法早就出现了。 2005年,Nick Szabo提出了“标示所有权的安全产权”概念,一个文件描述了“复制数据库技术的新进展”将会如何允许基于区块链的系统,用来存储谁拥有哪块土地的注册, 并创建一个精心设计的框架,包括诸如家园式,逆权管理和格鲁吉亚地税等概念。 但是,不幸的是,当时没有有效的复制数据库系统,因此该协议在实践中从未得到实施。 然而,2009年之后,当比特币的分布式共识被开发出来后,很多其他的应用迅速涌现。

Namecoin - created in 2010, Namecoin is best described as a decentralized name registration database. In decentralized protocols like Tor, Bitcoin and BitMessage, there needs to be some way of identifying accounts so that other people can interact with them, but in all existing solutions the only kind of identifier available is a pseudorandom hash like 1LW79wp5ZBqaHW1jL5TCiBCrhQYtHagUWy. Ideally, one would like to be able to have an account with a name like “george”. However, the problem is that if one person can create an account named “george” then someone else can use the same process to register “george” for themselves as well and impersonate them. The only solution is a first-to-file paradigm, where the first registerer succeeds and the second fails - a problem perfectly suited for the Bitcoin consensus protocol. Namecoin is the oldest, and most successful, implementation of a name registration system using such an idea.

Namecoin - 2010年创建,Namecoin最好描述为分布式名称注册数据库。 在像Tor,Bitcoin和BitMessage这样的分布式协议中,需要有一些识别帐户的方法,以便其他人可以与它们交互,但是在所有现有的解决方案中,唯一可用的标识符是伪随机哈希,如1LW79wp5ZBqaHW1jL5TCiBCrhQYtHagUWy。 理想情况下,人们希望能够拥有像“乔治”这样的名字。 但问题是,如果一个人可以创建一个名为“乔治”的账户,那么其他人可以使用相同的过程为自己注册“乔治”,并假冒它们。 唯一的解决方案是采用first-to-file模式,第一个注册成功,第二个失败 - 这是一个完全适合比特币共识协议的问题。 使用这种想法实现名称注册系统,Namecoin是最早、也是最成功的一个。

Colored coins - the purpose of colored coins is to serve as a protocol to allow people to create their own digital currencies - or, in the important trivial case of a currency with one unit, digital tokens, on the Bitcoin blockchain. In the colored coins protocol, one “issues” a new currency by publicly assigning a color to a specific Bitcoin UTXO, and the protocol recursively defines the color of other UTXO to be the same as the color of the inputs that the transaction creating them spent (some special rules apply in the case of mixed-color inputs). This allows users to maintain wallets containing only UTXO of a specific color and send them around much like regular bitcoins, backtracking through the blockchain to determine the color of any UTXO that they receive.

彩色币(Colored coins) - Colored coins的目的是作为一种协议,允许人们在比特币区块链上创建自己的数字货币 - 或者,一个重要琐碎情况下的货币单位,数字代币等。 在彩色币协议中,通过公开地为特定的比特币UTXO分配一种颜色来“发布”新币种,并且该协议递归地将其他UTXO的颜色定义为,与创建该交易花费的输入(UTXO)的颜色相同 (一些特殊的规则适用于混合颜色输入的情况)。 这允许用户维护仅包含特定颜色的UTXO的钱包,并像常规比特币一样使用它们,通过区块链回溯可以确定它们接收的任何UTXO的颜色。

Metacoins - the idea behind a metacoin is to have a protocol that lives on top of Bitcoin, using Bitcoin transactions to store metacoin transactions but having a different state transition function, APPLY’. Because the metacoin protocol cannot prevent invalid metacoin transactions from appearing in the Bitcoin blockchain, a rule is added that if APPLY’(S,TX)returns an error, the protocol defaults to APPLY’(S,TX) = S. This provides an easy mechanism for creating an arbitrary cryptocurrency protocol, potentially with advanced features that cannot be implemented inside of Bitcoin itself, but with a very low development cost since the complexities of mining and networking are already handled by the Bitcoin protocol. Metacoins have been used to implement some classes of financial contracts, name registration and decentralized exchange.

元币(Metacoins) - metacoin背后的想法是拥有一个生活在比特币之上的协议,使用比特币交易来存储metacoin交易,但具有不同的状态转换函数 APPLY’。 由于元币协议不能防止无效的元币交易出现在比特币区块链中,所以添加一条规则,即如果APPLY’(S,TX)返回错误,则协议默认为APPLY’(S,TX)= S。 由于挖矿和网络的复杂性已经由比特币协议处理,所以创建任意加密货币协议的机制非常简单,可能无法在比特币内部实现高级功能,但其开发成本非常低。 Metacoins已被用于实施一些类别的金融合同,名称注册和分布式交换。

Thus, in general, there are two approaches toward building a consensus protocol: building an independent network, and building a protocol on top of Bitcoin. The former approach, while reasonably successful in the case of applications like Namecoin, is difficult to implement; each individual implementation needs to bootstrap an independent blockchain, as well as building and testing all of the necessary state transition and networking code. Additionally, we predict that the set of applications for decentralized consensus technology will follow a power law distribution where the vast majority of applications would be too small to warrant their own blockchain, and we note that there exist large classes of decentralized applications, particularly decentralized autonomous organizations, that need to interact with each other.

因此,总的来说,有两种方法可以建立一个共识协议:建立一个独立的网络,或者在比特币之上构建一个协议。 前一种方法虽然在像Namecoin这样的应用程序中相当成功,但很难实现,因为每个单独的应用都需要创建一个独立的区块链,以及构建和测试所有必要的状态转换和网络代码。 此外,我们预测分布式共识技术的应用程序集将遵循幂律分布,绝大多数应用太小而不能保证自己区块链的安全,并且我们注意到存在大量的分布式应用程序,特别是分布式自治组织,需要相互交流。

The Bitcoin-based approach, on the other hand, has the flaw that it does not inherit the simplified payment verification features of Bitcoin. SPV works for Bitcoin because it can use blockchain depth as a proxy for validity; at some point, once the ancestors of a transaction go far enough back, it is safe to say that they were legitimately part of the state. Blockchain-based meta-protocols, on the other hand, cannot force the blockchain not to include transactions that are not valid within the context of their own protocols. Hence, a fully secure SPV meta-protocol implementation would need to backward scan all the way to the beginning of the Bitcoin blockchain to determine whether or not certain transactions are valid. Currently, all “light” implementations of Bitcoin-based meta-protocols rely on a trusted server to provide the data, arguably a highly suboptimal result especially when one of the primary purposes of a cryptocurrency is to eliminate the need for trust.

另一方面,基于比特币的方法存在缺陷,因为它继承不了比特币的简化支付验证(SPV)功能。 SPV适用于比特币,因为它可以使用区块链深度作为有效性的代理; 在某种程度上,一旦交易的祖先足够回归,可以肯定地说它们是状态的合法组成部分。 另一方面,基于区块链的元协议,不能强制比特币区块链不要包含元协议环境中无效的交易。 因此,完全安全的SPV元协议实现需要一直向后扫描到比特币区块链的开头,以确定某些交易是否有效。 目前,基于比特币的元协议的所有“轻量级”实现依赖于可信服务器来提供数据,可以说这是一个非常不妙的结果,尤其是因为加密货币的主要目的之一,就是要消除对信任的需求。


Even without any extensions, the Bitcoin protocol actually does facilitate a weak version of a concept of “smart contracts”. UTXO in Bitcoin can be owned not just by a public key, but also by a more complicated script expressed in a simple stack-based programming language. In this paradigm, a transaction spending that UTXO must provide data that satisfies the script. Indeed, even the basic public key ownership mechanism is implemented via a script: the script takes an elliptic curve signature as input, verifies it against the transaction and the address that owns the UTXO, and returns 1 if the verification is successful and 0 otherwise. Other, more complicated, scripts exist for various additional use cases. For example, one can construct a script that requires signatures from two out of a given three private keys to validate (“multisig”), a setup useful for corporate accounts, secure savings accounts and some merchant escrow situations. Scripts can also be used to pay bounties for solutions to computational problems, and one can even construct a script that says something like “this Bitcoin UTXO is yours if you can provide an SPV proof that you sent a Dogecoin transaction of this denomination to me”, essentially allowing decentralized cross-cryptocurrency exchange.

即使没有任何扩展,比特币协议实际上也实现了“智能合约”概念的弱化版本。比特币中的UTXO不仅可以被公钥拥有,还可以被更复杂的脚本来拥有,这一脚本以简单的基于堆栈的编程语言来表达。在这个模式中,花费UTXO的交易必须提供满足脚本的数据。事实上,即使是基本的公钥所有权机制也是通过脚本实现的:脚本以椭圆曲线签名为输入,根据交易和拥有UTXO的地址验证它,如果验证成功则返回1,否则返回0。其他更复杂的脚本存在于各种其他用例中。例如,可以构建一个脚本,该脚本需要来自给定三个私钥中的两个的签名才能验证(多重签名“multisig”),这一设置对于公司帐户,安全储蓄帐户和一些商业托管情况很有用。脚本也可以用来支付解决计算问题的奖励,甚至你可以构建这样的脚本:“如果您可以提供SPV证据证明您已向此发送此币值的狗币(Dogecoin),则此比特币UTXO即属于您” ,本质上,比特币系统允许分布式的跨加密货币间的兑换。

However, the scripting language as implemented in Bitcoin has several important limitations:


Lack of Turing-completeness - that is to say, while there is a large subset of computation that the Bitcoin scripting language supports, it does not nearly support everything. The main category that is missing is loops. This is done to avoid infinite loops during transaction verification; theoretically it is a surmountable obstacle for script programmers, since any loop can be simulated by simply repeating the underlying code many times with an if statement, but it does lead to scripts that are very space-inefficient. For example, implementing an alternative elliptic curve signature algorithm would likely require 256 repeated multiplication rounds all individually included in the code.

缺乏图灵完备性 - 也就是说,尽管比特币脚本语言支持大量计算,但它并不是支持所有计算。 缺少的主要类别是循环(loops)。 这样做是为了避免交易验证期间的无限循环; 从理论上说,这是一个脚本程序员可以克服的障碍,因为任何循环都可以简单地用 if 语句多次重复底层代码来模拟,但它确实会导致脚本在空间利用上的低效。 例如,实施替代椭圆曲线签名算法可能需要256次重复的乘法循环,每一次循环都需单独包含在代码中。

Value-blindness - there is no way for a UTXO script to provide fine-grained control over the amount that can be withdrawn. For example, one powerful use case of an oracle contract would be a hedging contract, where A and B put in $1000 worth of BTC and after 30 days the script sends $1000 worth of BTC to A and the rest to B. This would require an oracle to determine the value of 1 BTC in USD, but even then it is a massive improvement in terms of trust and infrastructure requirement over the fully centralized solutions that are available now. However, because UTXO are all-or-nothing, the only way to achieve this is through the very inefficient hack of having many UTXO of varying denominations (eg. one UTXO of 2k for every k up to 30) and having O pick which UTXO to send to A and which to B.

价值盲 - UTXO脚本无法对可撤销的金额进行精细化控制。 例如,预言合同的一个强大的用例就是套期保值合同,A和B投入1000美元的BTC,30天后脚本向A发送价值1000美元的BTC,其余的则发给B。 这就需要预言确定1 BTC价值多少美元,但即使如此,它对信任和基础设施要求方面的重大改进已经超过了现在可用的完全集中式解决方案。 然而,由于UTXO全是或全无,实现这一目标的唯一方法,是通过非常低效地分解许多不同面额的UTXO(例如,一个每达到30 的2k的UTXO),并选择哪个UTXO 发送给A和哪个给B。

Lack of state - UTXO can either be spent or unspent; there is no opportunity for multi-stage contracts or scripts which keep any other internal state beyond that. This makes it hard to make multi-stage options contracts, decentralized exchange offers or two-stage cryptographic commitment protocols (necessary for secure computational bounties). It also means that UTXO can only be used to build simple, one-off contracts and not more complex “stateful” contracts such as decentralized organizations, and makes meta-protocols difficult to implement. Binary state combined with value-blindness also mean that another important application, withdrawal limits, is impossible.

缺乏状态 - UTXO只有用完和没有用两种状态; 多阶段合同或脚本没有机会保持任何其他内部状态。 这使得很难制定多阶段期权合约,分布式交易提议或两阶段密码承诺协议(安全计算奖励所必需的)。 这也意味着UTXO只能用于构建简单的一次性合同,而不能构建像分布式组织那样更复杂的“有状态”合同,并且使元协议难以实施。 二元状态与价值盲相结合还意味着另一个重要的应用——取款限制——不可能实现。

Blockchain-blindness - UTXO are blind to blockchain data such as the nonce, the timestamp and previous block hash. This severely limits applications in gambling, and several other categories, by depriving the scripting language of a potentially valuable source of randomness.

区块链盲 - UTXO对区块链数据(例如随机数,时间戳和前一个区块哈希)视而不见。 这剥夺了脚本语言来源于随机性的潜在价值,严重限制了赌博和其他几个类别的应用。

Thus, we see three approaches to building advanced applications on top of cryptocurrency: building a new blockchain, using scripting on top of Bitcoin, and building a meta-protocol on top of Bitcoin. Building a new blockchain allows for unlimited freedom in building a feature set, but at the cost of development time, bootstrapping effort and security. Using scripting is easy to implement and standardize, but is very limited in its capabilities, and meta-protocols, while easy, suffer from faults in scalability. With Ethereum, we intend to build an alternative framework that provides even larger gains in ease of development as well as even stronger light client properties, while at the same time allowing applications to share an economic environment and blockchain security.

综上,我们了解到在加密货币之上构建高级应用程序的三种方法:构建新的区块链,在比特币之上使用脚本,在比特币之上构建元协议。 构建新的区块链,可以在构建功能集时实现无限制的自由,但成本是开发时间,培育努力和安全保障。 使用脚本很容易实现和标准化,但其功能非常有限,而元协议虽然很容易,但在可伸缩性方面遇到问题。 通过以太坊,我们打算构建一个替代框架,在易于开发的同时提供更大的收益,以及更强大的轻客户端属性,同时允许应用程序共享经济环境和区块链安全。


The intent of Ethereum is to create an alternative protocol for building decentralized applications, providing a different set of tradeoffs that we believe will be very useful for a large class of decentralized applications, with particular emphasis on situations where rapid development time, security for small and rarely used applications, and the ability of different applications to very efficiently interact, are important. Ethereum does this by building what is essentially the ultimate abstract foundational layer: a blockchain with a built-in Turing-complete programming language, allowing anyone to write smart contracts and decentralized applications where they can create their own arbitrary rules for ownership, transaction formats and state transition functions. A bare-bones version of Namecoin can be written in two lines of code, and other protocols like currencies and reputation systems can be built in under twenty. Smart contracts, cryptographic “boxes” that contain value and only unlock it if certain conditions are met, can also be built on top of the platform, with vastly more power than that offered by Bitcoin scripting because of the added powers of Turing-completeness, value-awareness, blockchain-awareness and state.

以太坊的目的是为构建分散式应用程序创建一个替代协议,提供一套不同的折衷方案,我们认为这对于大量分布式应用程序非常有用,特别强调快速开发时间,小型很少使用的应用程序,以及不同应用程序的高效互动能力都很重要。以太坊通过构建本质上最终的抽象基础层来实现这一点:一种内置图灵完整编程语言的区块链,允许任何人编写智能合约和分布式应用程序,在这些应用程序中他们可以为所有权,交易格式和状态转换函数制定自己的规则。 Namecoin的一个简单版本可以用两行代码编写,其他协议,如货币和信誉系统可以在20行以内建立。因为拥有比比特币脚本所提供的功能强大得多的图灵完备性,价值知晓,区块链知晓和状态,所以智能合约,包含价值并且只有在满足特定条件时才解锁的密码“箱子”,都可以建立在平台之上。

1、以太坊账户(Ethereum Accounts)

In Ethereum, the state is made up of objects called “accounts”, with each account having a 20-byte address and state transitions being direct transfers of value and information between accounts. An Ethereum account contains four fields:

在以太坊中,状态由称为“帐户”的对象组成,每个帐户都有一个20字节的地址,状态转换是账户之间的价值和信息的直接转移。 以太坊账户包含四个字段:

  • The nonce, a counter used to make sure each transaction can only be processed once.
  • The account’s current ether balance.
  • The account’s contract code, if present.
  • The account’s storage (empty by default).
  • 随机数,用于确定每笔交易只能被处理一次的计算器
  • 账户当前的以太币余额
  • 账户的合约代码,如果有的话
  • 账户的存储(默认为空)

“Ether” is the main internal crypto-fuel of Ethereum, and is used to pay transaction fees. In general, there are two types of accounts: externally owned accounts, controlled by private keys, and contract accounts, controlled by their contract code. An externally owned account has no code, and one can send messages from an externally owned account by creating and signing a transaction; in a contract account, every time the contract account receives a message its code activates, allowing it to read and write to internal storage and send other messages or create contracts in turn.

“以太”是以太坊的主要内部加密燃料,用于支付交易费用。 一般来说,有两种类型的账户:外部所有的账户,由私钥控制;合同账户由合同代码控制。 外部所有的账户没有代码,人们从外部所有账户发送消息,以创建和签署交易; 在合同账户中,合约账户每次收到消息后,代码激活,将允许对内部存储进行读写和发送其他消息或者依次创建合约。

Note that “contracts” in Ethereum should not be seen as something that should be “fulfilled” or “complied with”; rather, they are more like “autonomous agents” that live inside of the Ethereum execution environment, always executing a specific piece of code when “poked” by a message or transaction, and having direct control over their own ether balance and their own key/value store to keep track of persistent variables.

请注意,以太坊中的“合约”不应被视为应该被“履行”或“遵守”的事物; 相反,他们更像是居住在以太坊执行环境中的“自主代理人”,当被消息或交易“捅一下”时,总是执行特定的代码段,并直接控制自己的以太余额和自己的密钥/ 值存储,保持对持久变量的跟踪。

2、消息与交易(Messages and Transactions)

The term “transaction” is used in Ethereum to refer to the signed data package that stores a message to be sent from an externally owned account. Transactions contain:


  • The recipient of the message
  • A signature identifying the sender
  • The amount of ether to transfer from the sender to the recipient
  • An optional data field
  • A STARTGAS value, representing the maximum number of computational steps the transaction execution is allowed to take
  • A GASPRICE value, representing the fee the sender pays per computational step
  • 消息接受人
  • 能证明发送者身份的签名
  • 一定数量的从发送者转移至接受者的以太币
  • 一个可选的数据字段
  • STARTGAS值,代表交易被执行时可以运行的最大计算步骤数
  • GASPRICE值,代表发送者为每个计算步骤支付的费用

The first three are standard fields expected in any cryptocurrency. The data field has no function by default, but the virtual machine has an opcode using which a contract can access the data; as an example use case, if a contract is functioning as an on-blockchain domain registration service, then it may wish to interpret the data being passed to it as containing two “fields”, the first field being a domain to register and the second field being the IP address to register it to. The contract would read these values from the message data and appropriately place them in storage.

前三个是任何加密货币中预期的标准字段。 数据字段默认没有功能,但虚拟机具有合同可以访问数据的操作码; 作为示例用例,如果合同作为区块链上的域名注册服务运行,那么它可能希望将传递给它的数据解释为包含两个“字段”,第一个字段是要注册的域名,第二个字段是域名的IP地址。 合同将从消息数据中读取这些值并将其妥善放置在存储中。

The STARTGAS and GASPRICE fields are crucial for Ethereum’s anti-denial of service model. In order to prevent accidental or hostile infinite loops or other computational wastage in code, each transaction is required to set a limit to how many computational steps of code execution it can use. The fundamental unit of computation is “gas”; usually, a computational step costs 1 gas, but some operations cost higher amounts of gas because they are more computationally expensive, or increase the amount of data that must be stored as part of the state. There is also a fee of 5 gas for every byte in the transaction data. The intent of the fee system is to require an attacker to pay proportionately for every resource that they consume, including computation, bandwidth and storage; hence, any transaction that leads to the network consuming a greater amount of any of these resources must have a gas fee roughly proportional to the increment.

对于以太坊的反拒绝服务模式,STARTGAS和GASPRICE字段至关重要。 为了防止代码中的意外或恶意的无限循环,或其他计算浪费,每个事务都需要设置它可以使用多少的代码执行步骤数。 计算的基本单位是“gas”。 通常,一个计算步骤花费1个gas,但是一些操作耗费更高的gas,因为它们在计算上更昂贵,或者增加了作为状态的一部分的必须存储的数据量。 交易数据中的每个字节也要收费5个gas。 收费系统的目的是要求攻击者按比例支付他们消费的每一种资源,包括计算量,带宽和存储量; 因此,任何导致网络消耗更多资源的交易必须具有与增量大致成比例的gas。


Contracts have the ability to send “messages” to other contracts. Messages are virtual objects that are never serialized and exist only in the Ethereum execution environment. A message contains:

  • The sender of the message (implicit)
  • The recipient of the message
  • The amount of ether to transfer alongside the message
  • An optional data field
  • A STARTGAS value


  • 消息发送者(固有的)
  • 消息接受者
  • 与消息一起被转移的以太币的数量
  • 可选的数据字段

Essentially, a message is like a transaction, except it is produced by a contract and not an external actor. A message is produced when a contract currently executing code executes the CALLopcode, which produces and executes a message. Like a transaction, a message leads to the recipient account running its code. Thus, contracts can have relationships with other contracts in exactly the same way that external actors can.

从本质上讲,消息就像一个交易,除了它是由合同产生的而不是由外部参与者产生的之外。 当一个正在运行代码的协议执行CALLopcode时,将会产生和执行一条消息。 就像一个交易,一条消息导致接收人账户运行其代码。 因此,合约可以拥有与其他合约的关系,这与外部参与者之间的方式完全相同。

Note that the gas allowance assigned by a transaction or contract applies to the total gas consumed by that transaction and all sub-executions. For example, if an external actor A sends a transaction to B with 1000 gas, and B consumes 600 gas before sending a message to C, and the internal execution of C consumes 300 gas before returning, then B can spend another 100 gas before running out of gas.

请注意,交易或合同分配的gas限额适用于该交易和所有子执行消耗的总gas。 例如,如果外部参与者A向B发送带有1000个gas的事交易,B在向C发送消息之前消耗了600个gas,并且C的内部执行在返回之前消耗300个gas,则B在用光gas之前,只可以花费另外100个gas。

4、以太坊状态转换函数(Ethereum State Transition Function)

Ethereum State Transition Function

The Ethereum state transition function, APPLY(S,TX) -> S’ can be defined as follows:

  • Check if the transaction is well-formed (ie. has the right number of values), the signature is valid, and the nonce matches the nonce in the sender’s account. If not, return an error.
  • Calculate the transaction fee as STARTGAS * GASPRICE, and determine the sending address from the signature. Subtract the fee from the sender’s account balance and increment the sender’s nonce. If there is not enough balance to spend, return an error.
  • Initialize GAS = STARTGAS, and take off a certain quantity of gas per byte to pay for the bytes in the transaction.
  • Transfer the transaction value from the sender’s account to the receiving account. If the receiving account does not yet exist, create it. If the receiving account is a contract, run the contract’s code either to completion or until the execution runs out of gas.
  • If the value transfer failed because the sender did not have enough money, or the code execution ran out of gas, revert all state changes except the payment of the fees, and add the fees to the miner’s account.
  • Otherwise, refund the fees for all remaining gas to the sender, and send the fees paid for gas consumed to the miner.

以太坊状态转换函数 APPLY(S,TX) -> S’ 定义如下:

  • 检查交易是否被构建完好(例如,有正确的值),签名是否正确,随机数是否与发送者账户的随机数匹配。如果不是,返回错误。
  • 通过 STARTGAS * GASPRICE计算出交易费用,确定发生地址来自于签名,从发送者账户减去费用,同时增加发送者的随机数。如果没有足够的余额,返回错误。
  • 初始化 GAS = STARTGAS,在交易中支付确定每字节数量的gas。
  • 从发送者账户转移交易数额至接受者的账户。如果接受者的账户不存在,创建一个。如果接受者账户是一个合约,运行合约代码要么完成,要么用光了所有的gas。
  • 如果是因为发送者没有足够的钱而导致转移失败,或者是代码运行用光了gas,除了支付的费用外,恢复所有状态的更改,并将费用支付给矿工的账户
  • 相反的情况,将剩余的费用找零给发送者,支付消耗的费用给矿工。

For example, suppose that the contract’s code is:


if !self.storage[calldataload(0)]:
    self.storage[calldataload(0)] = calldataload(32)

Note that in reality the contract code is written in the low-level EVM code; this example is written in Serpent, one of our high-level languages, for clarity, and can be compiled down to EVM code. Suppose that the contract’s storage starts off empty, and a transaction is sent with 10 ether value, 2000 gas, 0.001 ether gasprice, and 64 bytes of data, with bytes 0-31 representing the number 2and bytes 32-63 representing the string CHARLIE. The process for the state transition function in this case is as follows:

  • Check that the transaction is valid and well formed.
  • Check that the transaction sender has at least 2000 * 0.001 = 2 ether. If it is, then subtract 2 ether from the sender’s account.
  • Initialize gas = 2000; assuming the transaction is 170 bytes long and the byte-fee is 5, subtract 850 so that there is 1150 gas left.
  • Subtract 10 more ether from the sender’s account, and add it to the contract’s account.
  • Run the code. In this case, this is simple: it checks if the contract’s storage at index 2 is used, notices that it is not, and so it sets the storage at index 2 to the value CHARLIE. Suppose this takes 187 gas, so the remaining amount of gas is 1150 - 187 = 963
  • Add 963 * 0.0001 = 0.963 ether back to the sender’s account, and return the resulting state.

请注意,实际上,合约代码是用低级EVM代码编写的; 为了清晰起见,本示例使用Serpent(我们的高级语言之一)编写,并且可以编译为EVM代码。 假设,合约的存储从空开始,交易是发送:10个以太币,2000gas,0.001 gasprice 和 64字节,其中字节0-31代表数字2,字节32-63代表字符串CHARLIE。 在这种情况下状态转换函数进行如下处理:

  • 检查交易是否有效并组织完好
  • 检查交易发送者至少拥有2000 * 0.001 = 2 个以太币,并从其账户上扣减2个以太币
  • 初始化 gas = 2000,假定交易是170字节,每字节5gas,减去850gas,剩下 1150 gas
  • 从发送者账户减去10个以太币,将其增加到合约账户
  • 运行代码。在这个案例中,非常简单:检查合约账户的存储索引 2 是否被使用,提示没有,则将存储索引2的数据设置为 CHARLIE 。假设这花费了187gas,余下的就是 1150 - 187 = 963 gas
  • 返还 963 * 0.0001 = 0.963 以太币到发送者账户,同时返回结果状态。

If there was no contract at the receiving end of the transaction, then the total transaction fee would simply be equal to the provided GASPRICE multiplied by the length of the transaction in bytes, and the data sent alongside the transaction would be irrelevant.


Note that messages work equivalently to transactions in terms of reverts: if a message execution runs out of gas, then that message’s execution, and all other executions triggered by that execution, revert, but parent executions do not need to revert. This means that it is “safe” for a contract to call another contract, as if A calls B with G gas then A’s execution is guaranteed to lose at most G gas. Finally, note that there is an opcode, CREATE, that creates a contract; its execution mechanics are generally similar to CALL, with the exception that the output of the execution determines the code of a newly created contract.

请注意,消息在回滚方面与交易相同:如果消息执行耗尽gas,那么该消息的执行以及该执行触发的所有其他执行都会回滚,但父执行不需要回滚。 这意味着合约调用另一份合约是“安全的”,就好像A用G gas调用B,那么可以确保A的执行最多会损失G gas。 最后,请注意,有一个操作码CREATE,它创建合约; 其执行机制通常与CALL类似,例外是执行的输出决定了新创建的合约代码。

5、代码执行(Code Execution)

The code in Ethereum contracts is written in a low-level, stack-based bytecode language, referred to as “Ethereum virtual machine code” or “EVM code”. The code consists of a series of bytes, where each byte represents an operation. In general, code execution is an infinite loop that consists of repeatedly carrying out the operation at the current program counter (which begins at zero) and then incrementing the program counter by one, until the end of the code is reached or an error or STOP or RETURN instruction is detected. The operations have access to three types of space in which to store data:

  • The stack, a last-in-first-out container to which values can be pushed and popped
  • Memory, an infinitely expandable byte array
  • The contract’s long-term storage, a key/value store. Unlike stack and memory, which reset after computation ends, storage persists for the long term.

以太坊合约中的代码采用低级,基于堆栈的字节码语言编写,被称为“以太坊虚拟机代码”或“EVM代码”。 该代码由一系列字节组成,其中每个字节表示一个操作。 一般来说,代码执行是一个无限循环,它包括在当前程序计数器(从零开始)重复执行操作,然后将程序计数器递增1,直到代码结束或错误或STOP 或RETURN指令被检测到。 这些操作可以访问三种类型的数据存储空间:

  • 堆栈,数据压入弹出的后进先出的容器
  • 内存,一个无限扩展的字节数组
  • 合约的长期存储,一个键/值存储,与堆栈和内存会在计算结束后重置不同,这一存储将会长期保持

The code can also access the value, sender and data of the incoming message, as well as block header data, and the code can also return a byte array of data as an output.


The formal execution model of EVM code is surprisingly simple. While the Ethereum virtual machine is running, its full computational state can be defined by the tuple (block_state, transaction, message, code, memory, stack, pc, gas), where block_state is the global state containing all accounts and includes balances and storage. At the start of every round of execution, the current instruction is found by taking the pcth byte of code (or 0 if pc >= len(code)), and each instruction has its own definition in terms of how it affects the tuple. For example, ADD pops two items off the stack and pushes their sum, reduces gas by 1 and increments pc by 1, and SSTORE pops the top two items off the stack and inserts the second item into the contract’s storage at the index specified by the first item. Although there are many ways to optimize Ethereum virtual machine execution via just-in-time compilation, a basic implementation of Ethereum can be done in a few hundred lines of code.

EVM代码的正式执行模型非常简单。 当以太坊虚拟机正在运行时,它的完整计算状态可以由元组(block_state,transaction,message,code,memory,stack,pc,gas)定义,其中block_state是包含所有帐户的全局状态,并包含余额和存储。 在每一轮执行开始时,当前指令可以通过获取代码的pc th(译者注:类似4th,5th 等)字节来找到(如果pc> = len(code),则为0),并且每条指令都有其自己的定义,以表明它如何影响元组。 例如,ADD从堆叠中弹出两个物品并推送其总和,将gas减少1,并将pc递增1,SSTORE将顶部两项品从堆栈中弹出,并将第二项插入到合约存储器中作为索引的第一项。 虽然有很多方法可以通过即时编译来优化以太坊虚拟机的执行,但以太坊的基本实现可以通过几百行代码完成。

6、区块链和挖矿(Blockchain and Mining)

Blockchain and Mining

The Ethereum blockchain is in many ways similar to the Bitcoin blockchain, although it does have some differences. The main difference between Ethereum and Bitcoin with regard to the blockchain architecture is that, unlike Bitcoin, Ethereum blocks contain a copy of both the transaction list and the most recent state. Aside from that, two other values, the block number and the difficulty, are also stored in the block. The basic block validation algorithm in Ethereum is as follows:

    1. Check if the previous block referenced exists and is valid.
    1. Check that the timestamp of the block is greater than that of the referenced previous block and less than 15 minutes into the future
    1. Check that the block number, difficulty, transaction root, uncle root and gas limit (various low-level Ethereum-specific concepts) are valid
    1. Check that the proof of work on the block is valid.
    1. Let S[0] be the state at the end of the previous block.
    1. Let TX be the block’s transaction list, with n transactions. For all i in 0…n-1, set S[i+1] = APPLY(S[i],TX[i]). If any applications returns an error, or if the total gas consumed in the block up until this point exceeds the GASLIMIT, return an error.
    1. Let S_FINAL be S[n], but adding the block reward paid to the miner.
    1. Check if the Merkle tree root of the state S_FINAL is equal to the final state root provided in the block header. If it is, the block is valid; otherwise, it is not valid.

以太坊区块链在很多方面与比特币区块链相似,但它确实有一些区别。 以太坊和比特币在区块链架构方面的主要区别在于,与比特币不同,以太坊区块包含交易列表和最新状态的副本。 除此之外,区块块中还存储了其他两个值,区块号和难度。 以太坊中的基础的区块验证算法如下:

  1. 检查被引用的前一区块是否存在并有效
  2. 检查时间戳是否大于被引用的前一区块并且小于未来15分钟
  3. 检查区块号,难度,交易根,叔根和gas限制(各种各样底层的以太坊特有概念)是否有效。
  4. 检查当前区块的工作量证明是否有效。
  5. 让 S[0] 作为前一区块末尾的状态
  6. 让 TX 作为区块的交易列表,包含了 n 个交易。为所有在 0…n-1的 i 进行操作, 让 S[i+1] = APPLY(S[i],TX[i])。如果任何应用返回错误,或者 gas 消耗超过了 GASLINIT 的限制,返回错误。
  7. 让S_FINAL 成为 S[n],但要增加支付给矿工的区块奖励。
  8. 检查 S_FINAL 中默克尔树根是否等于区块头部的最终状态根。如果相等则区块是有效的,否则区块无效。

The approach may seem highly inefficient at first glance, because it needs to store the entire state with each block, but in reality efficiency should be comparable to that of Bitcoin. The reason is that the state is stored in the tree structure, and after every block only a small part of the tree needs to be changed. Thus, in general, between two adjacent blocks the vast majority of the tree should be the same, and therefore the data can be stored once and referenced twice using pointers (ie. hashes of subtrees). A special kind of tree known as a “Patricia tree” is used to accomplish this, including a modification to the Merkle tree concept that allows for nodes to be inserted and deleted, and not just changed, efficiently. Additionally, because all of the state information is part of the last block, there is no need to store the entire blockchain history - a strategy which, if it could be applied to Bitcoin, can be calculated to provide 5-20x savings in space.

这种方法乍一看似乎效率很低,因为它需要在每个块中存储整个状态,但实际上效率应该与比特币相当。 原因是状态存储在树状结构中,并且在每个块之后只需要改变树的一小部分。 因此,通常在两个相邻块之间,绝大多数树应该是相同的,因此数据可以被存储一次并且使用指针(即子树的散列)被引用两次。 一种称为“Patricia树”的特殊树被用来实现这一点,包括对Merkle树概念的修改,允许节点被插入和删除,而不仅仅是改变,非常高效。 此外,由于所有状态信息都是最后一个区块的一部分,因此不需要存储整个区块链历史记录 - 这一策略如果应用于比特币,可以节省出节省5-20倍的空间。

A commonly asked question is “where” contract code is executed, in terms of physical hardware. This has a simple answer: the process of executing contract code is part of the definition of the state transition function, which is part of the block validation algorithm, so if a transaction is added into block B the code execution spawned by that transaction will be executed by all nodes, now and in the future, that download and validate block B.



In general, there are three types of applications on top of Ethereum. The first category is financial applications, providing users with more powerful ways of managing and entering into contracts using their money. This includes sub-currencies, financial derivatives, hedging contracts, savings wallets, wills, and ultimately even some classes of full-scale employment contracts. The second category is semi-financial applications, where money is involved but there is also a heavy non-monetary side to what is being done; a perfect example is self-enforcing bounties for solutions to computational problems. Finally, there are applications such as online voting and decentralized governance that are not financial at all.

总的来说,在以太坊之上有三种类型的应用程序。 第一类是金融应用程序,它为用户提供更强大的管理方式,让用户使用它们的资金签订合同。 这包括子货币,金融衍生品,套期保值合约,储蓄钱包,遗嘱以及最终甚至是一些类别的全面雇佣合同。 第二类是半金融应用,涉及金钱,但也有非常重要的非货币方面的工作。一个完美的例子就是为计算问题的解决自我实施奖励。 最后,还有诸如在线投票和分布式治理等应用程序,这些应用程序一点儿也没有财务属性。

1、代币系统(Token Systems)

On-blockchain token systems have many applications ranging from sub-currencies representing assets such as USD or gold to company stocks, individual tokens representing smart property, secure unforgeable coupons, and even token systems with no ties to conventional value at all, used as point systems for incentivization. Token systems are surprisingly easy to implement in Ethereum. The key point to understand is that all a currency, or token system, fundamentally is a database with one operation: subtract X units from A and give X units to B, with the proviso that (1) A had at least X units before the transaction and (2) the transaction is approved by A. All that it takes to implement a token system is to implement this logic into a contract.

区块链上的代币系统有许多应用,从代表资产(如美元或黄金)的子货币到公司股票,还有代表智能财产的单个代币,安全不可伪造的优惠券,甚至还有与常规价值完全不相干的代币,它被用做点激励系统。 代币系统在以太坊中实现起来非常简单。 要理解的关键点是,所有货币或代币系统基本上都是一个数据库,只有一个操作:从A中减去X个单位并将X个单位给予B,但条件是(1)在交易前,A至少有X个单位和(2)交易由A批准。实现代币系统所需的一切就是将该逻辑在合约中实施。

The basic code for implementing a token system in Serpent looks as follows:


def send(to, value):
    if self.storage[msg.sender] >= value:
        self.storage[msg.sender] = self.storage[msg.sender] - value
        self.storage[to] = self.storage[to] + value

This is essentially a literal implementation of the “banking system” state transition function described further above in this document. A few extra lines of code need to be added to provide for the initial step of distributing the currency units in the first place and a few other edge cases, and ideally a function would be added to let other contracts query for the balance of an address. But that’s all there is to it. Theoretically, Ethereum-based token systems acting as sub-currencies can potentially include another important feature that on-chain Bitcoin-based meta-currencies lack: the ability to pay transaction fees directly in that currency. The way this would be implemented is that the contract would maintain an ether balance with which it would refund ether used to pay fees to the sender, and it would refill this balance by collecting the internal currency units that it takes in fees and reselling them in a constant running auction. Users would thus need to “activate” their accounts with ether, but once the ether is there it would be reusable because the contract would refund it each time.


2、金融衍生品和价值稳定的货币(Financial derivatives and Stable-Value Currencies)

Financial derivatives are the most common application of a “smart contract”, and one of the simplest to implement in code. The main challenge in implementing financial contracts is that the majority of them require reference to an external price ticker; for example, a very desirable application is a smart contract that hedges against the volatility of ether (or another cryptocurrency) with respect to the US dollar, but doing this requires the contract to know what the value of ETH/USD is. The simplest way to do this is through a “data feed” contract maintained by a specific party (eg. NASDAQ) designed so that that party has the ability to update the contract as needed, and providing an interface that allows other contracts to send a message to that contract and get back a response that provides the price.

金融衍生工具是“智能合约”中最常见的应用,也是最简单的代码实现之一。 实施金融合同的主要挑战是,其中大部分要求参考外部价格报价器; 例如,一个非常理想的应用程序是一种智能合约,可以抵御以太币(或另一种加密货币)相对于美元的波动性,但这样做需要合约知道ETH / USD的价值。 最简单的方法是通过由特定方(例如纳斯达克)维护的“数据反馈”合同,以便该方有权根据需要更新合同,并提供一个接口,以允许其他合同向那个合同发送消息并取回提供价格的响应。

Given that critical ingredient, the hedging contract would look as follows:

  • Wait for party A to input 1000 ether.
  • Wait for party B to input 1000 ether.
  • Record the USD value of 1000 ether, calculated by querying the data feed contract, in storage, say this is $x.
  • After 30 days, allow A or B to “reactivate” the contract in order to send $x worth of ether (calculated by querying the data feed contract again to get the new price) to A and the rest to B.


  • 等待 A 方 输入1000 以太币
  • 等待 B 方输入1000以太币
  • 记录1000 以太币价值多少美元,这通过询问数据反馈合约后计算获得,保存,假如是 $x
  • 30天后,允许A或者B再次激活合约,发送价值$x 的以太币给A,具体的以太币的数值当然也是在询问数据反馈合约后计算获得,余下的以太币发送给B

Such a contract would have significant potential in crypto-commerce. One of the main problems cited about cryptocurrency is the fact that it’s volatile; although many users and merchants may want the security and convenience of dealing with cryptographic assets, they may not wish to face that prospect of losing 23% of the value of their funds in a single day. Up until now, the most commonly proposed solution has been issuer-backed assets; the idea is that an issuer creates a sub-currency in which they have the right to issue and revoke units, and provide one unit of the currency to anyone who provides them (offline) with one unit of a specified underlying asset (eg. gold, USD). The issuer then promises to provide one unit of the underlying asset to anyone who sends back one unit of the crypto-asset. This mechanism allows any non-cryptographic asset to be “uplifted” into a cryptographic asset, provided that the issuer can be trusted.

这样的合同在密码商务中将具有巨大的潜力。 引用加密货币的主要问题之一是不稳定; 尽管许多用户和商家可能希望使用加密资产的安全性和便利性,但他们可能不希望一天内损失其资金价值23%的前景。 到目前为止,最常见的解决方案是发行人背书资产; 这个想法是,发行人创建了一个子货币,他们有权发行和撤回货币单位,并将任何一个单位的货币提供给那些给他们(离线)提供一个单位特定基础资产(例如,黄金 , 美元)的人。 然后,发行人承诺向发回一个单位加密资产的任何人返还一个基础资产单位。 该机制允许任何非密码资产被“提升”为密码资产,前提是发行人可以被信任。

In practice, however, issuers are not always trustworthy, and in some cases the banking infrastructure is too weak, or too hostile, for such services to exist. Financial derivatives provide an alternative. Here, instead of a single issuer providing the funds to back up an asset, a decentralized market of speculators, betting that the price of a cryptographic reference asset (eg. ETH) will go up, plays that role. Unlike issuers, speculators have no option to default on their side of the bargain because the hedging contract holds their funds in escrow. Note that this approach is not fully decentralized, because a trusted source is still needed to provide the price ticker, although arguably even still this is a massive improvement in terms of reducing infrastructure requirements (unlike being an issuer, issuing a price feed requires no licenses and can likely be categorized as free speech) and reducing the potential for fraud.

然而,在实践中,发行人并不总是值得信赖的,而且在某些情况下,银行业基础设施太脆弱,或者银行不够诚信,所以这样的服务不能存在。金融衍生产品提供了另一种选择。在这里,不是单一发行人提供资金来支撑一种资产,而是一个分布式的投机者市场,他们认为加密资产(例如ETH)的价格会上涨,而扮演了投机者这个角色。 与发行人不同,投机者没有讨价还价的余地,因为对冲合约持有他们的资金托管。 请注意,这种方法并不是完全分布式的,因为仍然需要一个可信赖的来源来提供报价,尽管可以说即使如此,这也仍然是一个在降低基础设施要求(与发行商不同,发布价格反馈不需要许可证,并可能被归类为言论自由)和减少欺诈的可能性方面的巨大进步。

3、身份和信誉系统(Identity and Reputation Systems)

The earliest alternative cryptocurrency of all, Namecoin, attempted to use a Bitcoin-like blockchain to provide a name registration system, where users can register their names in a public database alongside other data. The major cited use case is for a DNS system, mapping domain names like “bitcoin.org” (or, in Namecoin’s case, “bitcoin.bit”) to an IP address. Other use cases include email authentication and potentially more advanced reputation systems. Here is the basic contract to provide a Namecoin-like name registration system on Ethereum:

最早的替代加密货币,Namecoin试图使用类似比特币的区块链来提供名称注册系统,用户可以在公共数据库中将他们的名称与其他数据一起注册。 主要引用的用例是DNS系统,将域名(比如“bitcoin.org”)(或者在Namecoin的例子中是“bitcoin.bit”)映射到IP地址。 其他用例包括电子邮件认证和潜在的更高级的信誉系统。 以下是在以太坊提供类似Namecoin的名称注册系统的基本合约:

def register(name, value):
    if !self.storage[name]:
        self.storage[name] = value

The contract is very simple; all it is is a database inside the Ethereum network that can be added to, but not modified or removed from. Anyone can register a name with some value, and that registration then sticks forever. A more sophisticated name registration contract will also have a “function clause” allowing other contracts to query it, as well as a mechanism for the “owner” (ie. the first registerer) of a name to change the data or transfer ownership. One can even add reputation and web-of-trust functionality on top.

合约非常简单; 所有这一切都是以太坊网络内的一个数据库,可以添加到但不能修改或删除。 任何人都可以注册一个具有一定价值的名称,然后该注册将永久保存。 一个更复杂的名称注册合同也会有一个“函数条款”,允许其他合同进行查询,以及一个为“所有者”而设的机制(即,第一注册者),所有者可以更改数据或转让所有权。 人们甚至可以在上面添加信誉和网络信任功能。

4、分布式文件存储(Decentralized File Storage)

Over the past few years, there have emerged a number of popular online file storage startups, the most prominent being Dropbox, seeking to allow users to upload a backup of their hard drive and have the service store the backup and allow the user to access it in exchange for a monthly fee. However, at this point the file storage market is at times relatively inefficient; a cursory look at various existing solutions shows that, particularly at the “uncanny valley” 20-200 GB level at which neither free quotas nor enterprise-level discounts kick in, monthly prices for mainstream file storage costs are such that you are paying for more than the cost of the entire hard drive in a single month. Ethereum contracts can allow for the development of a decentralized file storage ecosystem, where individual users can earn small quantities of money by renting out their own hard drives and unused space can be used to further drive down the costs of file storage.

在过去几年中,已经出现了一些流行的在线文件存储初创公司,其中最着名的是Dropbox,它试图允许用户上传他们硬盘的备份,提供保存备份和用户访问这些数据服务,他们为此收取月费。 但是,目前文件存储市场有时相对低效, 粗略看一下现有的各种解决方案,特别是在20-200 GB的“恐怖谷”水平上,既没有免费额度也没有企业级的折扣,你支付的主流文件存储成本的每月价格,要高于单月整个硬盘的成本。 以太坊合同可以允许开发分布式文件存储生态系统,个人用户可以通过出租自己的硬盘来赚取少量的资金,未使用的空间可以用来进一步降低文件存储成本。

The key underpinning piece of such a device would be what we have termed the “decentralized Dropbox contract”. This contract works as follows. First, one splits the desired data up into blocks, encrypting each block for privacy, and builds a Merkle tree out of it. One then makes a contract with the rule that, every N blocks, the contract would pick a random index in the Merkle tree (using the previous block hash, accessible from contract code, as a source of randomness), and give X ether to the first entity to supply a transaction with a simplified payment verification-like proof of ownership of the block at that particular index in the tree. When a user wants to re-download their file, they can use a micropayment channel protocol (eg. pay 1 szabo per 32 kilobytes) to recover the file; the most fee-efficient approach is for the payer not to publish the transaction until the end, instead replacing the transaction with a slightly more lucrative one with the same nonce after every 32 kilobytes.

这种装置的关键部件我们称之为“分布式Dropbox合同”。该合同的如此工作。首先,将所需数据分成块,对每个块进行隐私加密,然后构建默克尔树。然后用以下规则形成合约:每N个块,合约将在Merkle树中选择一个随机索引(可从合同代码访问,使用之前的区块散列作为随机源),并将 X 以太币赋予第一个实体,为该交易提供一个简化的支付验证(SPV) - 就像在树中特定索引处的块的所有权证明。当用户想要重新下载他们的文件时,他们可以使用微支付通道协议(例如,支付每32千字节1个szabo)来恢复文件;最节省费用的方法是付款人不到最后不要发布交易,而是,在每32千字节之后,用一个更划算的带有同样随机数的交易取代原来的那个。

An important feature of the protocol is that, although it may seem like one is trusting many random nodes not to decide to forget the file, one can reduce that risk down to near-zero by splitting the file into many pieces via secret sharing, and watching the contracts to see each piece is still in some node’s possession. If a contract is still paying out money, that provides a cryptographic proof that someone out there is still storing the file.

该协议的一个重要特点是,虽然看起来像一个人相信许多不会丢失文件的随机节点,但可以通过秘密共享将文件分割成许多块,从而将风险降低到接近于零,并通过监看合约来了解每个碎片仍然在某个节点中。 如果合约仍在支付金钱,那么它提供了一个某人仍在存储该文件的密码学证据。

5、分布式自治组织(Decentralized Autonomous Organizations)

The general concept of a “decentralized autonomous organization” is that of a virtual entity that has a certain set of members or shareholders which, perhaps with a 67% majority, have the right to spend the entity’s funds and modify its code. The members would collectively decide on how the organization should allocate its funds. Methods for allocating a DAO’s funds could range from bounties, salaries to even more exotic mechanisms such as an internal currency to reward work. This essentially replicates the legal trappings of a traditional company or nonprofit but using only cryptographic blockchain technology for enforcement. So far much of the talk around DAOs has been around the “capitalist” model of a “decentralized autonomous corporation” (DAC) with dividend-receiving shareholders and tradable shares; an alternative, perhaps described as a “decentralized autonomous community”, would have all members have an equal share in the decision making and require 67% of existing members to agree to add or remove a member. The requirement that one person can only have one membership would then need to be enforced collectively by the group.


A general outline for how to code a DAO is as follows. The simplest design is simply a piece of self-modifying code that changes if two thirds of members agree on a change. Although code is theoretically immutable, one can easily get around this and have de-facto mutability by having chunks of the code in separate contracts, and having the address of which contracts to call stored in the modifiable storage. In a simple implementation of such a DAO contract, there would be three transaction types, distinguished by the data provided in the transaction:

  • [0,i,K,V] to register a proposal with index i to change the address at storage index K to value V
  • [0,i] to register a vote in favor of proposal i
  • [2,i] to finalize proposal i if enough votes have been made

如何编写DAO的一般概要如下。 最简单的设计只是一个自我修改的代码,如果三分之二的成员同意修改就会发生变化。 尽管代码在理论上是不可变的,但人们可以很容易地解决这个问题,通过在单独的合同中包含大部分代码,并调用那些合同的地址存储在可修改的存储中,从而具有事实上的可变性。 在这种DAO合同的简单实现中,有三种交易类型,通过交易中提供的数据进行区分:

  • 注册一个提议,用索引 i 来修改存储索引 K 到 V 的地址
  • 注册一个赞成建议 i 的投票
  • 如果足够的投票已经做出,敲定建议 i

The contract would then have clauses for each of these. It would maintain a record of all open storage changes, along with a list of who voted for them. It would also have a list of all members. When any storage change gets to two thirds of members voting for it, a finalizing transaction could execute the change. A more sophisticated skeleton would also have built-in voting ability for features like sending a transaction, adding members and removing members, and may even provide for Liquid Democracy-style vote delegation (ie. anyone can assign someone to vote for them, and assignment is transitive so if A assigns B and B assigns C then C determines A’s vote). This design would allow the DAO to grow organically as a decentralized community, allowing people to eventually delegate the task of filtering out who is a member to specialists, although unlike in the “current system” specialists can easily pop in and out of existence over time as individual community members change their alignments.


An alternative model is for a decentralized corporation, where any account can have zero or more shares, and two thirds of the shares are required to make a decision. A complete skeleton would involve asset management functionality, the ability to make an offer to buy or sell shares, and the ability to accept offers (preferably with an order-matching mechanism inside the contract). Delegation would also exist Liquid Democracy-style, generalizing the concept of a “board of directors”.

另一种模式是分布式公司,任何账户可以有零或更多的股份,作出决定需要三分之二的股份支持。 一个完整的框架将涉及资产管理功能,提出购买或出售股份的能力,以及接受要约的能力(最好是在合同中使用订单匹配机制)。授权也存在流式民主风格,也就产生了“董事会”的概念。

6、未来的应用(Further Applications)

  1. Savings wallets. Suppose that Alice wants to keep her funds safe, but is worried that she will lose or someone will hack her private key. She puts ether into a contract with Bob, a bank, as follows:
  • Alice alone can withdraw a maximum of 1% of the funds per day.
  • Bob alone can withdraw a maximum of 1% of the funds per day, but Alice has the ability to make a transaction with her key shutting off this ability.
  • Alice and Bob together can withdraw anything.

Normally, 1% per day is enough for Alice, and if Alice wants to withdraw more she can contact Bob for help. If Alice’s key gets hacked, she runs to Bob to move the funds to a new contract. If she loses her key, Bob will get the funds out eventually. If Bob turns out to be malicious, then she can turn off his ability to withdraw.

  1. 储蓄钱包。假设Alice想安全的保管她的资金,但是却担心自己弄丢了私钥或者有人非法侵入获得她的私钥。她把以太币放在一个与Bob的合约里,一家银行,操作如下:
  • Alice每天可以独自取款最多1%
  • Bob每天可以独自取款最多1%,但是Alice有权用她的钥匙发起一个交易关闭Bob的这个权利
  • Alice和Bob一起可以提取任意额度的资金

通常情况下,Alice每天1%就足够了,如果Alice想要提取更多的资金,她可以联系鲍勃寻求帮助。 如果Alice的密钥遭到黑客攻击,她会去找Bob将资金转移到新的合约。 如果Alice失去了她的密钥,Bob将最终取出所有资金。 如果事实证明Bob是恶意的,那么她可以关闭他的取款资格。

  1. Crop insurance. One can easily make a financial derivatives contract but using a data feed of the weather instead of any price index. If a farmer in Iowa purchases a derivative that pays out inversely based on the precipitation in Iowa, then if there is a drought, the farmer will automatically receive money and if there is enough rain the farmer will be happy because their crops would do well. This can be expanded to natural disaster insurance generally.
  1. 作物保险。 人们可以很容易地使用天气的数据反馈而不是任何价格指数来制定金融衍生品合约。 如果爱荷华州的农民购买与爱荷华州降水量相反支付的衍生合约,那么如果出现干旱,农民将自动获得收入,如果雨水充足,农民就会因为收成良好而开心。 这一般可以扩展到自然灾害保险。
  1. A decentralized data feed. For financial contracts for difference, it may actually be possible to decentralize the data feed via a protocol called “SchellingCoin”. SchellingCoin basically works as follows: N parties all put into the system the value of a given datum (eg. the ETH/USD price), the values are sorted, and everyone between the 25th and 75th percentile gets one token as a reward. Everyone has the incentive to provide the answer that everyone else will provide, and the only value that a large number of players can realistically agree on is the obvious default: the truth. This creates a decentralized protocol that can theoretically provide any number of values, including the ETH/USD price, the temperature in Berlin or even the result of a particular hard computation.
  1. 分布式数据反馈。 对于不同的金融合约,实际上可能通过一个名为“SchellingCoin”的协议进行分布式数据反馈。 SchellingCoin的基本工作原理如下:N方都将给定数据(例如ETH / USD价格)的值输入到系统中,对值进行排序,并且在第25和75百分位之间的每个人都获得一个代币奖励。 每个人都有动力提供其他人将提供的答案,而大量玩家可以切实达成一致的唯一价值就是明显的默认值:事实。 这创建了一个分布式的协议,理论上可以提供任意数量的值,包括ETH / USD价格,柏林温度或甚至特定的硬计算结果。
  1. Smart multisignature escrow. Bitcoin allows multisignature transaction contracts where, for example, three out of a given five keys can spend the funds. Ethereum allows for more granularity; for example, four out of five can spend everything, three out of five can spend up to 10% per day, and two out of five can spend up to 0.5% per day. Additionally, Ethereum multisig is asynchronous - two parties can register their signatures on the blockchain at different times and the last signature will automatically send the transaction.
  1. 智能多重签名托管。 比特币允许多重签名交易合约,例如,给定五个密钥中的三个可以花费资金。 以太坊允许更多的粒度; 例如,五分之四的人可以消费任意数额,五分之三的人每天最高可花费10%,五分之二的人每天最高可花费0.5%。 此外,以太坊多重签名是异步的 - 双方可以在不同时间在区块链上注册其签名,最后一个签名将自动发送交易。
  1. Cloud computing. The EVM technology can also be used to create a verifiable computing environment, allowing users to ask others to carry out computations and then optionally ask for proofs that computations at certain randomly selected checkpoints were done correctly. This allows for the creation of a cloud computing market where any user can participate with their desktop, laptop or specialized server, and spot-checking together with security deposits can be used to ensure that the system is trustworthy (ie. nodes cannot profitably cheat). Although such a system may not be suitable for all tasks; tasks that require a high level of inter-process communication, for example, cannot easily be done on a large cloud of nodes. Other tasks, however, are much easier to parallelize; projects like SETI@home, folding@home and genetic algorithms can easily be implemented on top of such a platform.
  1. 云计算。 EVM技术也可用于创建可验证的计算环境,这允许用户请求其他人进行计算,然后可选择的要求提供证据,这些证据来自正确完成的随机选择的检查点。 这允许创建一个云计算市场,任何用户都可以通过他们的台式机,笔记本电脑或专用服务器参与其中,现场检查和安全保证金可以确保系统是可信的(即节点不能因欺骗而获利)。 虽然这样的系统可能不适合所有的任务, 例如,需要高级别进程间通信的任务不能在大型节点云上轻松完成。 但是,其他任务更容易并行化; 诸如SETI @ home,folding @ home和遗传算法等项目可以很容易地在这样的平台之上实现。
  1. Peer-to-peer gambling. Any number of peer-to-peer gambling protocols, such as Frank Stajano and Richard Clayton’s Cyberdice, can be implemented on the Ethereum blockchain. The simplest gambling protocol is actually simply a contract for difference on the next block hash, and more advanced protocols can be built up from there, creating gambling services with near-zero fees that have no ability to cheat.
  1. 点对点赌博。 任何数量的点对点赌博协议,例如Frank Stajano和Richard Clayton的Cyberdice,都可以在以太坊区块链上实施。 事实上最简单的赌博协议只是下一个块哈希差异的合约,并且可以从那里建立更高级的协议,以几乎为零的费用创建赌博服务,而且这些服务无法作弊。
  1. Prediction markets. Provided an oracle or SchellingCoin, prediction markets are also easy to implement, and prediction markets together with SchellingCoin may prove to be the first mainstream application of futarchy as a governance protocol for decentralized organizations.
  1. 预测市场。 提供一个预言或SchellingCoin,预测市场也很容易实现,有SchellingCoin的预测市场可能被证明是第一个分布式组织的组织管理协议的“futarchy”主流应用。
  1. On-chain decentralized marketplaces, using the identity and reputation system as a base.
  1. 链上分布式市场,以身份与信誉系统为基础

(四)、杂项和相关(Miscellanea And Concerns)

1、改进版“幽灵”协议实现(Modified GHOST Implementation)

The “Greedy Heaviest Observed Subtree” (GHOST) protocol is an innovation first introduced by Yonatan Sompolinsky and Aviv Zohar in December 2013. The motivation behind GHOST is that blockchains with fast confirmation times currently suffer from reduced security due to a high stale rate - because blocks take a certain time to propagate through the network, if miner A mines a block and then miner B happens to mine another block before miner A’s block propagates to B, miner B’s block will end up wasted and will not contribute to network security. Furthermore, there is a centralization issue: if miner A is a mining pool with 30% hashpower and B has 10% hashpower, A will have a risk of producing a stale block 70% of the time (since the other 30% of the time A produced the last block and so will get mining data immediately) whereas B will have a risk of producing a stale block 90% of the time. Thus, if the block interval is short enough for the stale rate to be high, A will be substantially more efficient simply by virtue of its size. With these two effects combined, blockchains which produce blocks quickly are very likely to lead to one mining pool having a large enough percentage of the network hashpower to have de facto control over the mining process.

“Greedy Heaviest Observed Subtree”(GHOST)幽灵协议是Yonatan Sompolinsky和Aviv Zohar于2013年12月首次提出的一项创新。提出GHOST协议的背后的动机是,由于高作废率,目前快速确认的区块链受累于降低的安全性 - 因为块的网络传播需要一定的时间,如果矿工A挖出一个区块,然后矿工B在矿工A的区块传播到B之前碰巧挖掘另一个区块,那么矿工B的区块将最终浪费并且不会有助于网络安全。此外,还有一个集中化问题:如果矿工A是一个拥有30%算力的采矿池,而B拥有10%算力,那么A将有70%的时间产生作废块的风险(因为另外30%的时间A产生了最后一个块,因此将立即获取挖掘数据),而B将有90%的时间产生作废块的风险。因此,如果区块产生的间隔足够短以使作废率较高,则仅凭借其大小的优势,A将显著的更加的高效。通过将这两种效应相结合,快速生成区块的区块链将很可能导致一个采矿池具有足够百分比的网络算力,以实际控制采矿过程。

As described by Sompolinsky and Zohar, GHOST solves the first issue of network security loss by including stale blocks in the calculation of which chain is the “longest”; that is to say, not just the parent and further ancestors of a block, but also the stale descendants of the block’s ancestor (in Ethereum jargon, “uncles”) are added to the calculation of which block has the largest total proof of work backing it. To solve the second issue of centralization bias, we go beyond the protocol described by Sompolinsky and Zohar, and also provide block rewards to stales: a stale block receives 87.5% of its base reward, and the nephew that includes the stale block receives the remaining 12.5%. Transaction fees, however, are not awarded to uncles.

正如Sompolinsky和Zohar所描述的那样,GHOST通过在计算哪个链是“最长”时包含作废块来解决网络安全损失的第一个问题; 也就是说,在计算哪个区块链具有最大的工作量证明时,所包含的区块,不仅仅是一个区块的父区块和进一步的祖先区块,而且也包括作废区块后代的祖先区块(在以太坊术语中称为“叔区块”)。 为了解决第二个——中心化偏见问题,我们超越了Sompolinsky和Zohar所描述的协议,为作废区块提供奖励:一个作废区块可以获得基本奖励的87.5%,包含该作废区块的侄区块获得剩余的12.5%。 但是,交易费用不会奖给叔区块。

Ethereum implements a simplified version of GHOST which only goes down seven levels. Specifically, it is defined as follows:

  • A block must specify a parent, and it must specify 0 or more uncles
  • An uncle included in block B must have the following properties:
    • It must be a direct child of the kth generation ancestor of B, where 2 <= k <= 7.
    • It cannot be an ancestor of B
    • An uncle must be a valid block header, but does not need to be a previously verified or even valid block
    • An uncle must be different from all uncles included in previous blocks and all other uncles included in the same block (non-double-inclusion)
  • For every uncle U in block B, the miner of B gets an additional 3.125% added to its coinbase reward and the miner of U gets 93.75% of a standard coinbase reward.


  • 一个区块必须指定一个父区块,0或者多个叔区块
  • 一个被包含在B区块的叔区块必须拥有如下属性:
    • 它必须是B区块的第k代祖先区块的直接子区块, 2 <= k <= 7。
    • 它不能是B区块的祖先区块
    • 叔区块必须是区块头有效的,但不必是先前验证的或者有效的区块
    • 叔区块必须与所有的被包含在以前区块的叔区块不同,并且所有其他叔区块被包含在同一个区块中(非双重包含)
  • 对每一个包含在B区块的叔区块U而言,挖掘出B区块的矿工获得额外的3.125%币基奖励,挖掘出U区块的矿工获得93.75%的标准的币基奖励

This limited version of GHOST, with uncles includable only up to 7 generations, was used for two reasons. First, unlimited GHOST would include too many complications into the calculation of which uncles for a given block are valid. Second, unlimited GHOST with compensation as used in Ethereum removes the incentive for a miner to mine on the main chain and not the chain of a public attacker.

这个限制性的GHOST版本,只有7代可使用,原因有两个。 首先,无限制的GHOST会在计算给定块的哪些叔区块合法时包含太多复杂因素。 其次,在以太坊中使用的无限制GHOST的补偿消除了激励矿工在主链挖矿,而不是成为主链的公共攻击者。


Because every transaction published into the blockchain imposes on the network the cost of needing to download and verify it, there is a need for some regulatory mechanism, typically involving transaction fees, to prevent abuse. The default approach, used in Bitcoin, is to have purely voluntary fees, relying on miners to act as the gatekeepers and set dynamic minimums. This approach has been received very favorably in the Bitcoin community particularly because it is “market-based”, allowing supply and demand between miners and transaction senders determine the price. The problem with this line of reasoning is, however, that transaction processing is not a market; although it is intuitively attractive to construe transaction processing as a service that the miner is offering to the sender, in reality every transaction that a miner includes will need to be processed by every node in the network, so the vast majority of the cost of transaction processing is borne by third parties and not the miner that is making the decision of whether or not to include it. Hence, tragedy-of-the-commons problems are very likely to occur.


However, as it turns out this flaw in the market-based mechanism, when given a particular inaccurate simplifying assumption, magically cancels itself out. The argument is as follows. Suppose that:

  • A transaction leads to k operations, offering the reward kR to any miner that includes it where R is set by the sender and k and R are (roughly) visible to the miner beforehand.
  • An operation has a processing cost of C to any node (ie. all nodes have equal efficiency)
  • There are N mining nodes, each with exactly equal processing power (ie. 1/N of total)
  • No non-mining full nodes exist.

然而,当给出一个特别不准确的简化假设时,这个基于市场的机制中证明了的缺陷,神奇地自行消除了。 论证如下。 假设:

  • 一个交易导致 k 个操作,提供 kR 奖励给任何收录交易的矿工,此处R是交易发送者设置的,同时k和R(大体上)事先对于矿工是可预见的。
  • 对于任何节点来说,一步操作的处理成本是C(假设所有的节点具有相同的效率)
  • 这里有N个拥有相同处理能力的挖矿节点,(例如,单个节点就是 1/N)
  • 不存在不挖矿的全节点

A miner would be willing to process a transaction if the expected reward is greater than the cost. Thus, the expected reward is kR/N since the miner has a 1/N chance of processing the next block, and the processing cost for the miner is simply kC. Hence, miners will include transactions where kR/N > kC, or R > NC. Note that R is the per-operation fee provided by the sender, and is thus a lower bound on the benefit that the sender derives from the transaction, and NC is the cost to the entire network together of processing an operation. Hence, miners have the incentive to include only those transactions for which the total utilitarian benefit exceeds the cost.

如果期望的回报大于成本,矿工会愿意处理交易。 因此,期望的回报是kR / N,因为矿工有1 / N处理下一个块的机会,并且矿工的处理成本仅为kC。 因此,矿工将在区块中包含 kR / N> kC或R> NC的交易。 请注意,R是交易发送人提供的每次的操作费用,因此是交易发送人(译注:可能此处为笔误,应该为矿工)从交易中获得的收益的下限,NC是整个网络一起处理操作的成本。 因此,矿工只有动机去包含收益超过成本的那些交易。

However, there are several important deviations from those assumptions in reality:

  • (1)The miner does pay a higher cost to process the transaction than the other verifying nodes, since the extra verification time delays block propagation and thus increases the chance the block will become a stale.
  • (2)There do exist nonmining full nodes.
  • (3)The mining power distribution may end up radically inegalitarian in practice.
  • (4)Speculators, political enemies and crazies whose utility function includes causing harm to the network do exist, and they can cleverly set up contracts where their cost is much lower than the cost paid by other verifying nodes.


  • (1) 因为额外的验证时间延迟了块的传播,从而增加了区块成为废区块的可能性,所以矿工在处理交易上所耗费的成本比其他验证节点的高。
  • (2)存在不挖矿的全节点。
  • (3)实际上,挖矿算力分布可能最终极度不平衡。
  • (4)以破坏网络为己任的投机者,政治敌人和疯子确实存在,并且他们可以巧妙地设置合约,使得他们的成本远低于其他验证节点。

(1) provides a tendency for the miner to include fewer transactions, and (2) increases NC; hence, these two effects at least partially cancel each other out.How? (3) and (4) are the major issue; to solve them we simply institute a floating cap: no block can have more operations than BLK_LIMIT_FACTOR times the long-term exponential moving average. Specifically:

(1)使得矿工包含更少的交易成为趋势,(2)增加NC; 因此,这两种效应至少部分相互抵消了。如何?(3)和(4)是主要问题; 为了解决它们,我们只需设置一个浮动上限:任何块都不能有超过BLK_LIMIT_FACTOR 倍数的长期指数移动平均值的操作数。 具体地:

blk.oplimit = floor((blk.parent.oplimit * (EMAFACTOR - 1) + floor(parent.opcount * BLK_LIMIT_FACTOR)) / EMA_FACTOR)

BLK_LIMIT_FACTOR and EMA_FACTOR are constants that will be set to 65536 and 1.5 for the time being, but will likely be changed after further analysis.


There is another factor disincentivizing large block sizes in Bitcoin: blocks that are large will take longer to propagate, and thus have a higher probability of becoming stales. In Ethereum, highly gas-consuming blocks can also take longer to propagate both because they are physically larger and because they take longer to process the transaction state transitions to validate. This delay disincentive is a significant consideration in Bitcoin, but less so in Ethereum because of the GHOST protocol; hence, relying on regulated block limits provides a more stable baseline.

还有另一个因素阻碍大区块在比特币中存在:大区块需要更长的时间才能传播,因此有更高的可能性成为废区块。 在以太坊中,消耗gas较高的区块也可能需要较长的时间才能传播,因为它们物理上较大,并且处理事务状态转换需要较长的时间才能生效。 这种延迟抑制是比特币的重要考虑因素,但由于GHOST协议的存在,在Ethereum中这并不那么重要; 因此,依靠规定的区块限值可以提供更稳定的基线。

3、计算和图灵完备(Computation And Turing-Completeness)

An important note is that the Ethereum virtual machine is Turing-complete; this means that EVM code can encode any computation that can be conceivably carried out, including infinite loops. EVM code allows looping in two ways. First, there is a JUMP instruction that allows the program to jump back to a previous spot in the code, and a JUMPI instruction to do conditional jumping, allowing for statements like while x < 27: x = x * 2. Second, contracts can call other contracts, potentially allowing for looping through recursion. This naturally leads to a problem: can malicious users essentially shut miners and full nodes down by forcing them to enter into an infinite loop? The issue arises because of a problem in computer science known as the halting problem: there is no way to tell, in the general case, whether or not a given program will ever halt.

一个重要的提醒是以太坊虚拟机是图灵完备的; 这意味着EVM代码可以编码任何可以实现的计算,包括无限循环。 EVM代码允许以两种方式循环。 第一种,有一个允许程序跳回到代码中的前一个点的JUMP指令,以及一个执行条件跳转的JUMPI指令,允许像x <27:x = x * 2这样的语句。第二种,合约可以调用其他合约,可能允许通过递归循环。 这自然会导致一个问题:恶意用户能否通过迫使他们进入无限循环来关闭矿池和完整节点? 出现这个问题是因为计算机科学中存在一个问题,称为停止问题:在一般情况下,无法说明给定的程序是否会停止。

As described in the state transition section, our solution works by requiring a transaction to set a maximum number of computational steps that it is allowed to take, and if execution takes longer computation is reverted but fees are still paid. Messages work in the same way. To show the motivation behind our solution, consider the following examples:

正如状态转换部分所述,我们的解决方案的运行是通过要求交易设置允许采用的最大计算步骤数,如果执行时间更长,那么计算将会反转,但费用仍需仍会支付。 消息以相同的方式工作。 为了展示我们解决方案背后的动机,请考虑以下示例:

An attacker creates a contract which runs an infinite loop, and then sends a transaction activating that loop to the miner. The miner will process the transaction, running the infinite loop, and wait for it to run out of gas. Even though the execution runs out of gas and stops halfway through, the transaction is still valid and the miner still claims the fee from the attacker for each computational step.

攻击者创建一个运行无限循环的合同,然后发送一个激活该循环的交易给矿工。 矿工将处理交易,运行无限循环,并等待它耗尽gas。 即使运行耗尽了gas,在运行到一半时停止了,交易仍然有效,并且矿工仍然可以要求攻击者为每个计算步骤支付费用。

An attacker creates a very long infinite loop with the intent of forcing the miner to keep computing for such a long time that by the time computation finishes a few more blocks will have come out and it will not be possible for the miner to include the transaction to claim the fee. However, the attacker will be required to submit a value for STARTGAS limiting the number of computational steps that execution can take, so the miner will know ahead of time that the computation will take an excessively large number of steps.

攻击者创建了一个非常长的无限循环,其目的是迫使矿工持续计算这么长时间,所以当计算完成时,会有更多的区块产生出来,因此对于矿工(译注:负责计算非常长无限循环的矿工)来说包含交易索取费用将不再可能。 然而,攻击者将被要求提交一个STARTGAS的值,以限制可以执行的计算步骤的数量,所以矿工会提前知道计算过程需要极其大量的步骤。

An attacker sees a contract with code of some form like send(A,contract.storage[A]); contract.storage[A] = 0, and sends a transaction with just enough gas to run the first step but not the second (ie. making a withdrawal but not letting the balance go down). The contract author does not need to worry about protecting against such attacks, because if execution stops halfway through the changes get reverted.

攻击者通过某种形式的代码来查看合约,如send(A,contract.storage [A]); contract.storage [A] = 0,并发送一个只有足够的gas来运行第一步但不是第二步的交易(即提款但不让余额下降)。 合约制定者不需要担心防范这种攻击,因为如果执行中途停止,更改将被恢复。

A financial contract works by taking the median of nine proprietary data feeds in order to minimize risk. An attacker takes over one of the data feeds, which is designed to be modifiable via the variable-address-call mechanism described in the section on DAOs, and converts it to run an infinite loop, thereby attempting to force any attempts to claim funds from the financial contract to run out of gas. However, the financial contract can set a gas limit on the message to prevent this problem.

金融合约通过采用九个专有数据反馈的中间值来降低风险。 攻击者接管其中一个数据反馈,该数据反馈旨在通过DAO部分中描述的可变地址呼叫机制进行修改,并将其转换为运行无限循环,从而强制任何尝试从金融合约索取利益的努力因耗尽gas而中止。 但是,金融合约可以设置消息的gas限制以防止此问题发生。

The alternative to Turing-completeness is Turing-incompleteness, where JUMP and JUMPI do not exist and only one copy of each contract is allowed to exist in the call stack at any given time. With this system, the fee system described and the uncertainties around the effectiveness of our solution might not be necessary, as the cost of executing a contract would be bounded above by its size. Additionally, Turing-incompleteness is not even that big a limitation; out of all the contract examples we have conceived internally, so far only one required a loop, and even that loop could be removed by making 26 repetitions of a one-line piece of code. Given the serious implications of Turing-completeness, and the limited benefit, why not simply have a Turing-incomplete language? In reality, however, Turing-incompleteness is far from a neat solution to the problem. To see why, consider the following contracts:

图灵完备性的替代是图灵不完备性,其中JUMP和JUMPI不存在,并且在任何给定时间只允许在调用堆栈中存在每个合约的一个副本。 在这个系统中,所描述的费用体系和我们解决方案效力的不确定性不再是必须,因为执行合同的成本将受到其规模的限制。 另外,图灵不完备性甚至也不是那么大的限制; 在我们内部构想的所有合约示例中,到目前为止,只有一个需要循环,即使那样也可以通过重复26行单行代码来消除该循环。 考虑到图灵完备性的严重影响以及有限的收益,为什么不简单地使用图灵不完备的语言呢? 然而,事实上,图灵不完备性并不能很好地解决这个问题。 要明白为什么,请考虑以下合约:

C0: call(C1); call(C1);
C1: call(C2); call(C2);
C2: call(C3); call(C3);
C49: call(C50); call(C50);
C50: (run one step of a program and record the change in storage)

Now, send a transaction to A. Thus, in 51 transactions, we have a contract that takes up 250computational steps. Miners could try to detect such logic bombs ahead of time by maintaining a value alongside each contract specifying the maximum number of computational steps that it can take, and calculating this for contracts calling other contracts recursively, but that would require miners to forbid contracts that create other contracts (since the creation and execution of all 26 contracts above could easily be rolled into a single contract). Another problematic point is that the address field of a message is a variable, so in general it may not even be possible to tell which other contracts a given contract will call ahead of time. Hence, all in all, we have a surprising conclusion: Turing-completeness is surprisingly easy to manage, and the lack of Turing-completeness is equally surprisingly difficult to manage unless the exact same controls are in place - but in that case why not just let the protocol be Turing-complete?

现在,向A发送一笔交易。因此,在51笔交易中,我们有一份包含250个计算步骤的合约。矿工们可以尝试提前检测这种逻辑炸弹,方法是为每个合约保留一个值,限定其可以采取的最大计算步骤数,然后对递归调用其他合同的合同进行计算,但这要求矿工禁止合约创建其他合约(因为上述所有26份合约的创建和执行可以很容易地合并成一份合约)。另一个问题是,消息的地址字段是一个变量,所以一般情况下甚至不可能知道给定合约将提前调用哪些其他合约。因此,总而言之,我们得出了一个令人惊讶的结论:图灵完备性出奇地容易管理;除非有相同的控制措施,缺乏图灵完备性同样令人惊讶地难以管理 - 但在这种情况下,为什么不让协议成为图灵完备的呢?

4、货币和发行(Currency And Issuance)

The Ethereum network includes its own built-in currency, ether, which serves the dual purpose of providing a primary liquidity layer to allow for efficient exchange between various types of digital assets and, more importantly, of providing a mechanism for paying transaction fees. For convenience and to avoid future argument (see the current mBTC/uBTC/satoshi debate in Bitcoin), the denominations will be pre-labelled:

以太坊网络包括自己的内置货币,ether,它服务于如下双重目的,提供主要流动性层,以实现各种数字资产之间的有效交换,更重要的是,提供支付交易费用的机制。 为了方便和避免未来的争论(参见比特币当前的mBTC / uBTC / satoshi辩论),这些面值将被预先标记:

1: wei
10^12: szabo
10^15: finney
10^18: ether

This should be taken as an expanded version of the concept of “dollars” and “cents” or “BTC” and “satoshi”. In the near future, we expect “ether” to be used for ordinary transactions, “finney” for microtransactions and “szabo” and “wei” for technical discussions around fees and protocol implementation; the remaining denominations may become useful later and should not be included in clients at this point.

这应该被视为“美元”和“美分”或“BTC”和“satoshi”概念的扩展版本。 在不久的将来,我们期望“ether”用于普通交易,“finney”用于微交易,“szabo”和“wei”用于费用和协议实施的技术讨论; 其余的面值可能会稍后变得有用,此时不应包含在客户端中。

The issuance model will be as follows:
Ether will be released in a currency sale at the price of 1000-2000 ether per BTC, a mechanism intended to fund the Ethereum organization and pay for development that has been used with success by other platforms such as Mastercoin and NXT. Earlier buyers will benefit from larger discounts. The BTC received from the sale will be used entirely to pay salaries and bounties to developers and invested into various for-profit and non-profit projects in the Ethereum and cryptocurrency ecosystem.

以太网将以 1000-2000ether/BTC 的价格进行货币销售,这一机制旨在为以太坊组织提供资金,并支付开发者报酬,这一方式已被其他平台(如Mastercoin和NXT)成功使用。 较早的买家将受益于较大的折扣。 从销售中获得的BTC将完全用于向开发者支付薪水和奖金,并投资于以太坊和加密货币生态系统中的各种营利和非盈利项目。

  • 0.099x the total amount sold (60102216 ETH) will be allocated to the organization to compensate early contributors and pay ETH-denominated expenses before the genesis block.
  • 0.099x the total amount sold will be maintained as a long-term reserve.
  • 0.26x the total amount sold will be allocated to miners per year forever after that point.
  • 已售出总金额(60102216 ETH)的0.099x将分配给组织,以补偿早期贡献者,用以太币计价的方式支付在创世块诞生前的花费。
  • 已售总额的0.099将作为长期储备而保持。
  • 已售总额的0.26将每年被矿工挖出。

Long-Term Supply Growth Rate (percent) 长期供应增长率(百分比)


Despite the linear currency issuance, just like with Bitcoin over time the supply growth rate nevertheless tends to zero


The two main choices in the above model are (1) the existence and size of an endowment pool, and (2) the existence of a permanently growing linear supply, as opposed to a capped supply as in Bitcoin. The justification of the endowment pool is as follows. If the endowment pool did not exist, and the linear issuance reduced to 0.217x to provide the same inflation rate, then the total quantity of ether would be 16.5% less and so each unit would be 19.8% more valuable. Hence, in the equilibrium 19.8% more ether would be purchased in the sale, so each unit would once again be exactly as valuable as before. The organization would also then have 1.198x as much BTC, which can be considered to be split into two slices: the original BTC, and the additional 0.198x. Hence, this situation is exactly equivalent to the endowment, but with one important difference: the organization holds purely BTC, and so is not incentivized to support the value of the ether unit.

上述模型中的两个主要选择是(1)禀赋(译注:初始拥有的资源,详见知乎)池的存在和规模,以及(2)存在一个永久增长的线性供给,而不是像比特币那样的总量限制供给。 禀赋池存在的理由如下。 如果禀赋池不存在,线性发行量将减少到0.217x以提供相同的通货膨胀率,那么ether的总量将减少16.5%,因此每个单位的价值将增加19.8%。 因此,在平衡销售中,19.8%的ether将会被购买,所以每个单位将再次与以前一样有价值。 组织还将拥有与BTC等值的1.198x以太币,这可以被认为分为两部分:最初的BTC和额外的0.198x。 因此,这种情况与禀赋完全相同,但有一个重要区别:组织持有的是纯粹的BTC,因此并不支持以太币单位的价值。

The permanent linear supply growth model reduces the risk of what some see as excessive wealth concentration in Bitcoin, and gives individuals living in present and future eras a fair chance to acquire currency units, while at the same time retaining a strong incentive to obtain and hold ether because the “supply growth rate” as a percentage still tends to zero over time. We also theorize that because coins are always lost over time due to carelessness, death, etc, and coin loss can be modeled as a percentage of the total supply per year, that the total currency supply in circulation will in fact eventually stabilize at a value equal to the annual issuance divided by the loss rate (eg. at a loss rate of 1%, once the supply reaches 26X then 0.26X will be mined and 0.26X lost every year, creating an equilibrium).

永久性线性供给增长模型降低了一些人认为比特币中财富过度集中的风险,并且使得生活在当前和未来时代的个人有一个获得货币的公平机会,同时保留强烈的获取和持有动机,因为随着时间的推移,“供应增长率”百分比将趋近于零。 我们还可以从理论上证明,因为粗心大意,死亡等原因,以太币总是会随时间而减少,而以太币的流失可以模拟为每年总供给的百分比,因此流通中的货币总量实际上最终会稳定在一个数值,等于年发行额除以损失率(例如损失率为1%,一旦供应量达到26X,那么将开采0.26X,每年损失0.26X,创造均衡)。

Note that in the future, it is likely that Ethereum will switch to a proof-of-stake model for security, reducing the issuance requirement to somewhere between zero and 0.05X per year. In the event that the Ethereum organization loses funding or for any other reason disappears, we leave open a “social contract”: anyone has the right to create a future candidate version of Ethereum, with the only condition being that the quantity of ether must be at most equal to 60102216 * (1.198 + 0.26 * n) where n is the number of years after the genesis block. Creators are free to crowd-sell or otherwise assign some or all of the difference between the PoS-driven supply expansion and the maximum allowable supply expansion to pay for development. Candidate upgrades that do not comply with the social contract may justifiably be forked into compliant versions.

请注意,在未来,以太坊很可能会转而采用权益证明模式来确保安全性,将发行要求降低至每年0至0.05X之间。 如果以太坊组织失去资金或出于任何其他原因而消失,我们将开放一个“社会契约”:任何人都有权创建一个未来候选版本的以太坊,唯一的条件是以太币的数量必须是 最多等于60102216 *(1.198 + 0.26 * n),其中n是创始块产生后的年数。 创建者可以自由地通过众筹或以其他方式分配PoS驱动的供应扩展和最大允许供应扩展之间的部分或全部差异,以支付开发费用。 不符合社区合约的候选版本的升级可能被合理地分叉为兼容版本。

5、挖矿中心化(Mining Centralization)

The Bitcoin mining algorithm works by having miners compute SHA256 on slightly modified versions of the block header millions of times over and over again, until eventually one node comes up with a version whose hash is less than the target (currently around 2192). However, this mining algorithm is vulnerable to two forms of centralization. First, the mining ecosystem has come to be dominated by ASICs (application-specific integrated circuits), computer chips designed for, and therefore thousands of times more efficient at, the specific task of Bitcoin mining. This means that Bitcoin mining is no longer a highly decentralized and egalitarian pursuit, requiring millions of dollars of capital to effectively participate in. Second, most Bitcoin miners do not actually perform block validation locally; instead, they rely on a centralized mining pool to provide the block headers. This problem is arguably worse: as of the time of this writing, the top three mining pools indirectly control roughly 50% of processing power in the Bitcoin network, although this is mitigated by the fact that miners can switch to other mining pools if a pool or coalition attempts a 51% attack.


The current intent at Ethereum is to use a mining algorithm where miners are required to fetch random data from the state, compute some randomly selected transactions from the last N blocks in the blockchain, and return the hash of the result. This has two important benefits. First, Ethereum contracts can include any kind of computation, so an Ethereum ASIC would essentially be an ASIC for general computation - ie. a better CPU. Second, mining requires access to the entire blockchain, forcing miners to store the entire blockchain and at least be capable of verifying every transaction. This removes the need for centralized mining pools; although mining pools can still serve the legitimate role of evening out the randomness of reward distribution, this function can be served equally well by peer-to-peer pools with no central control.

以太坊目前的意图是使用挖掘算法,矿工需要从状态中提取随机数据,计算区块链中最后N个块的一些随机选择的交易,并返回结果的散列值。 这有两个重要的好处。 首先,以太坊合约可以包括任何种类的计算,因此以太坊ASIC本质上只能当成一般计算的ASIC -例如, 一个更好的CPU。 其次,采矿需要访问整个区块链,迫使矿工存储整个区块链,并至少能够验证每笔交易。 这消除了对集中式矿池的需求; 虽然矿池仍然可以起到平衡奖励分配随机性的合法作用,但这种功能可以通过没有中央控制的对等池进行同样的服务。

This model is untested, and there may be difficulties along the way in avoiding certain clever optimizations when using contract execution as a mining algorithm. However, one notably interesting feature of this algorithm is that it allows anyone to “poison the well”, by introducing a large number of contracts into the blockchain specifically designed to stymie certain ASICs. The economic incentives exist for ASIC manufacturers to use such a trick to attack each other. Thus, the solution that we are developing is ultimately an adaptive economic human solution rather than purely a technical one.

该模型未经测试,在使用合约执行作为挖掘算法时,避免某些巧妙的优化方法可能会遇到困难。 然而,这种算法的一个值得注意的特点是,它允许任何人通过将大量合约引入专门设计用于阻碍特定ASIC的运行,这好比“井里下毒”。由于经济激励措施存在,ASIC制造商会使用这种技巧来进行互相攻击。 因此,我们正在开发的解决方案最终是一种,适应的经济人,而非纯粹的技术解决方案。

6、Scalability 可扩展性

One common concern about Ethereum is the issue of scalability. Like Bitcoin, Ethereum suffers from the flaw that every transaction needs to be processed by every node in the network. With Bitcoin, the size of the current blockchain rests at about 15 GB, growing by about 1 MB per hour. If the Bitcoin network were to process Visa’s 2000 transactions per second, it would grow by 1 MB per three seconds (1 GB per hour, 8 TB per year). Ethereum is likely to suffer a similar growth pattern, worsened by the fact that there will be many applications on top of the Ethereum blockchain instead of just a currency as is the case with Bitcoin, but ameliorated by the fact that Ethereum full nodes need to store just the state instead of the entire blockchain history.

关于以太坊的一个常见问题是可扩展性问题。 和比特币一样,以太坊也面临着每个交易需要由网络中的每个节点处理的缺陷。 使用比特币,目前区块链的规模约为15 GB,每小时增长约1 MB。 如果比特币网络每秒处理Visa 2000次交易,则每三秒钟增长1MB(每小时1GB,每年8TB)。 以太坊可能会遭受类似的增长模式,事实上更糟糕的是,在以太坊区块链上将会有许多应用程序,而不仅仅是像比特币一样的货币,但是由于事实上的改进,以太坊全节点需要存储的只是状态而不是整个区块链历史。

The problem with such a large blockchain size is centralization risk. If the blockchain size increases to, say, 100 TB, then the likely scenario would be that only a very small number of large businesses would run full nodes, with all regular users using light SPV nodes. In such a situation, there arises the potential concern that the full nodes could band together and all agree to cheat in some profitable fashion (eg. change the block reward, give themselves BTC). Light nodes would have no way of detecting this immediately. Of course, at least one honest full node would likely exist, and after a few hours information about the fraud would trickle out through channels like Reddit, but at that point it would be too late: it would be up to the ordinary users to organize an effort to blacklist the given blocks, a massive and likely infeasible coordination problem on a similar scale as that of pulling off a successful 51% attack. In the case of Bitcoin, this is currently a problem, but there exists a blockchain modification suggested by Peter Todd which will alleviate this issue.


In the near term, Ethereum will use two additional strategies to cope with this problem. First, because of the blockchain-based mining algorithms, at least every miner will be forced to be a full node, creating a lower bound on the number of full nodes. Second and more importantly, however, we will include an intermediate state tree root in the blockchain after processing each transaction. Even if block validation is centralized, as long as one honest verifying node exists, the centralization problem can be circumvented via a verification protocol. If a miner publishes an invalid block, that block must either be badly formatted, or the state S[n] is incorrect. Since S[0] is known to be correct, there must be some first state S[i] that is incorrect where S[i-1] is correct. The verifying node would provide the index i, along with a “proof of invalidity” consisting of the subset of Patricia tree nodes needing to process APPLY(S[i-1],TX[i]) -> S[i]. Nodes would be able to use those nodes to run that part of the computation, and see that the S[i] generated does not match the S[i] provided.

在短期内,以太坊将采用另外两种策略来解决这个问题。首先,由于基于区块链的挖掘算法,至少每个矿工将被迫成为一个完整的节点,从而在全节点的数量上形成了一个下限。其次,更重要的是,在处理每个交易之后,我们将在区块链中包含一个中间状态树根。即使块验证是集中式的,只要存在一个诚实的验证节点,集中问题就可以通过验证协议规避。如果一个矿工发布了一个无效块,那么该块必须格式化得很差,或者状态S [n]不正确。由于已知S [0]是正确的,所以在S [i-1]正确的情况下,必定有一些第一状态S [i]不正确。验证节点将提供索引 i 以及由需要处理APPLY(S [i-1],TX [i]) - > S [i]的Patricia树节点的子集组成的“无效证明”。节点将能够使用这些节点来运行该部分计算,并且看到生成的S [i]与提供的S [i]不匹配。

Another, more sophisticated, attack would involve the malicious miners publishing incomplete blocks, so the full information does not even exist to determine whether or not blocks are valid. The solution to this is a challenge-response protocol: verification nodes issue “challenges” in the form of target transaction indices, and upon receiving a node a light node treats the block as untrusted until another node, whether the miner or another verifier, provides a subset of Patricia nodes as a proof of validity.

另一个更复杂的攻击将涉及恶意的矿工发布不完整的块,因此甚至不存在全部信息来确定块是否有效。 对此的解决方案是 质疑-响应 协议:验证节点以目标交易索引的形式发出“质疑”,接收到信息的节点,轻节点将该块视为不可信,直到另一节点(无论是矿工还是另一验证者)提供Patricia 节点的一个子集作为有效性的证明。


The Ethereum protocol was originally conceived as an upgraded version of a cryptocurrency, providing advanced features such as on-blockchain escrow, withdrawal limits, financial contracts, gambling markets and the like via a highly generalized programming language. The Ethereum protocol would not “support” any of the applications directly, but the existence of a Turing-complete programming language means that arbitrary contracts can theoretically be created for any transaction type or application. What is more interesting about Ethereum, however, is that the Ethereum protocol moves far beyond just currency. Protocols around decentralized file storage, decentralized computation and decentralized prediction markets, among dozens of other such concepts, have the potential to substantially increase the efficiency of the computational industry, and provide a massive boost to other peer-to-peer protocols by adding for the first time an economic layer. Finally, there is also a substantial array of applications that have nothing to do with money at all.


The concept of an arbitrary state transition function as implemented by the Ethereum protocol provides for a platform with unique potential; rather than being a closed-ended, single-purpose protocol intended for a specific array of applications in data storage, gambling or finance, Ethereum is open-ended by design, and we believe that it is extremely well-suited to serving as a foundational layer for a very large number of both financial and non-financial protocols in the years to come.

由以太坊协议实施的任意状态转换功能的概念提供了一个具有独特潜力的平台; 而不是一个封闭式的单一用途协议,专门用于数据存储,赌博或金融领域的特定应用。以太坊在设计上是开放式的,在今后几年中,我们相信它非常适合作为大量的财务和非财务协议的基础协议。


  1. A sophisticated reader may notice that in fact a Bitcoin address is the hash of the elliptic curve public key, and not the public key itself. However, it is in fact perfectly legitimate cryptographic terminology to refer to the pubkey hash as a public key itself. This is because Bitcoin’s cryptography can be considered to be a custom digital signature algorithm, where the public key consists of the hash of the ECC pubkey, the signature consists of the ECC pubkey concatenated with the ECC signature, and the verification algorithm involves checking the ECC pubkey in the signature against the ECC pubkey hash provided as a public key and then verifying the ECC signature against the ECC pubkey.
  1. 一个有经验的读者可能会注意到,实际上比特币地址是椭圆曲线公钥的散列值,而不是公钥本身。 然而,事实上,将公钥散列作为公钥本身就是完全合法的加密术语。 这是因为比特币的密码学可以被认为是一种自定义的数字签名算法,其中公钥由ECC公钥的散列组成,签名由与ECC签名串联的ECC公钥组成,并且验证算法涉及检查ECC 签名中的公钥与作为公钥提供的ECC 公钥哈希签名,然后根据ECC pubkey验证ECC签名。
  1. Technically, the median of the 11 previous blocks.
  1. 从技术上来看,前11个区块的中位数
  1. Internally, 2 and “CHARLIE” are both numbers, with the latter being in big-endian base 256 representation. Numbers can be at least 0 and at most 2256-1.
  1. 在内部,2和“CHARLIE”都是数字,后一个有巨大的base256编码格式。 数字从0到2^256-1不等。
< <上一篇