As far as attacking, yes you do need some stake at least initially to attack a poS coin, so it's not truly free. probably you would need something on the order of a 1% stake. But on the other hand, it doesn't necessarily mean poS will work at larger scales; many have serious concerns about the security model. You are right that the concerns are theoretical as of now.
It would need significantly more than 1% stake. Again, I am thinking in terms of DPoS, as I don't have a thorough knowledge of the alternatives.
Whether the security remains as robust with scaling remains to be seen, but that is only possible when it gets big. I haven't seen any good theoretical attack vectors which may compromise it on a bigger scale. In case it does, the developers have to look at improving the solution, like DPoS itself was an evolution through a series of steps.
DPoS (aka Delegated PoS) is a joke because it adds a social construct to chain security which is easily manipulated. This makes it susceptible to Sybil attack and breaks it. There is no way to
prove the delegates are unique individuals.
THIS IS A FATAL FLAW!An individual can create
multiple delegates and get stakeholders to approve them via deception. This gives the illusion that there are 101 unique delegates when in reality many delegates are in fact one individual. When you consider that multiple individuals could collude to create these faux delegates, it becomes obvious that gaining control over 51% of the delegates would not be that difficult. It's even more vulnerable because Bitshares is trying to attract "businesses and developers" as delegates. All someone would have to do to get voted in as a delegate is to post a convincing but fake business plan or resume and the stakeholders would eagerly pull in the Trojan horse.
Some Bitshares' users ask about how to tell if delegates are unique, but they get no response from the devs.
Bitshares has already had a Sybil attack occur earlier this year when it was uncovered that an individual named "sfinder" actually controlled the
TOP 5 DELEGATES!It becomes laughable when the main Bitshares' dev, Daniel Larimer (aka Bytemaster), appears in the thread and
starts asking if anyone else knows what other delegates "sfinder" controls. The Bitshares' devs obviously know about this problem, but they still have the audacity to say that "Bitshares is your gateway to the
decentralized world!"
The truth of this matter is, that as everyone knows who was around in 2013, Bitshares was originally going to be PoW. The Bitshares' devs only decided to switch to PoS after they saw the success of NXT. In a flawed attempt to look original, they added "delegates" to PoS which effectively destroyed it by adding centralization and opening it up to the aforementioned Sybil attacks.