There exist multiple variations of N@S weaknesses of non-PoW coins:
#1 Selfish nodes have an incentive to double-mine on multiple forks
#2 Stakeholders have an incentive to sell old, unused keys as they have nothing to lose anymore
#3 An attacker can rent or short +50% of the existing coins without taking any risk (no unrecoverable sunk costs as opposed to PoW)
All three scenarios make it easier and less costly to double-spend or to disrupt the currency, so that an attacker doesn't need to have +50% of the stake in order to carry out his plot.
Double-mining itself (#1) can occur in two different forms:
- Actual double-mining where the node is creating and broadcasting separate blocks on two or more chain forks.
- Probabilistic double-mining where the node tries to mine on top of every chain fork he is aware of, but only broadcasts one single block. PoS coins often foresee a block selection rule that decides which fork to mint on if both have the same length. According to the protocol, you would only mint on top of the fork that you received first. But you have the incentive to modify your client so that you will try to mint on both to maximize your chances of finding a valid block.
Punitive schemes such as
Slasher are proposed to defend against actual double-mining by requiring minters to make a depositive that is destroyed if a minter is caught double-minting later on (other minters can prove the fact by making an evidence transaction). The probabilistic mining strategy can be avoided if the next minter is decided before a fork starts. To that end, on can have a protocol in which it's not the current block n that determines the next miner, but an older block down the chain (n - k). This way you either have the opportunity to mint on both or neither fork (provided that the fork is not longer than k blocks).
NeuCoin uses a different punitive scheme in which both blocks of the double-minter are simply discarded by the other nodes.
Concerning #2, the linked paper also shows (p. 30) how difficult it is for an attacker to rewrite the history as he needs (virtual) time to catch up with the network.
In addition, in double spend attacks where the attacker is using a stake that he actually owns (say 20% of all staked coins), the rest of the
network with which he competes owns the remaining 80%. However, when using old private keys to 20% of the staked coins, the attacker is competing against not 80% of the staked coins but against 100% of them, because the attacker’s old coins are now owned by new parties who mine on the main chain.
attempting to rewrite history over a long range makes things much harder. For example, an attacker controlling private keys over 60% of the coins 2 days in the past would have ∼ 10^−141 chance of ever catching up with the network. To be able to rewrite history over a significant period of time (a few days or more), the attacker actually needs to own old private keys giving control over more coins than are currently staking on the main chain.
It appears that N&S attacks of the types #1 and #2 can be successfully prevented by incorporating appropriate incentive/disincentive mechanisms in the protocol.
On the other hand, I'm not aware of any cryptocurrency (or white paper) that solves or at least tackles issue #3. That's why I'm currently working on my own proposal to solve (or at least mitigate) this fundamental problem.