Topic: Proof that Proof of Stake is either extremely vulnerable or totally centralised - page 2. (Read 11768 times)

Have you even read the OP? This attack is not long range, its short range - below your precious reorg depth limit.

Even the most pessimistic cost assessment puts this attack at 3% stake.

Combining Consensus methods does not combine their strengths , it combines their weakness.
 



If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.
Which is why I say PoS 51% is only in control for a limited time and the staking % drops as soon as you use it for a specified time period.
Even with 51% you can't control a PoS coin 100% of the time like a PoW coin.
PoS coins with coin age are even harder to predict, as one old friend said , Proof of Stake is Secured by Chaos itself.



Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.
They can't generate new blocks until they are no longer dormant.


monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.
Target difficulty / Modifier Intervals / Coin Age /  Blocks required / Block Propagation timing / Tricking nodes into a reorg

Not only is it incredibly complicated, it can all be blocked with Random Checkpoints or rolling checkpoints
or even if the main chain just maintains a higher coin age than the attacker's chain.
*Also the fact that the sold coins will probably be staking on the main chain after being sold, gets lost in translation.*

So forgive me, when I ignore his concerns, I did offer him the opportunity to prove his theories, but he declined.  
 

FYI:
As you mentioned in an earlier post , Short Range attacks are the best chance for an attacker, but that is in PoS or PoW.
The complications of a Long Range attack grow with every day that passes, for PoS or PoW.

There is no way to create a 100% safe coin. That's why I also wrote that I consider a "last resort hardfork" or UASF, changing the mining algorithm (to throw off the miners using a distinct ASIC model) a legitimate action.

However, I still consider PoW superior to PoS, because attack cost is more predictable. I have written that I estimate attack costs to be similar between PoW and PoS. But in PoS, the calculation is not easy, because there are much more variables to take into account. Perhaps monsterer is right and a certain variable combination results in a comparatively cheap attack.

My favourite for the moment is the combination of PoW, PoS and PoB.


If you mean 51% of total stake, this is false. If you can control 51% for a certain time, you can easily secure permanent 51%. It is even worse than with PoW, because in PoW you need to waste electricity to preserve the 51%, in PoS you don't.

If you were referring to an attack with e.g. 10-15% of the total stake having 51% of the "currently active stake", then you may be right - the other coin holders could connect to the network and stop the attack.

No. Nothing stops the attacker to use several addresses for his attack.

OK, this is true. But a single 51% attack may cause enough damage that the confidence in the coin would be severily affected. Even if it doesn't mean it "dies", it may never recover its original importance.

And the attacker could even preserve his (emptied) keys to launch "long term attacks" like the one monsterer described.

That my friend is the illusion that is a false belief.

Bitcoin or Ethereum or Litecoin are only as safe as the miners that collude to form at least a 51% majority.

If at anytime , the profit / incentive sways from protecting Bitcoin or Ethereum or Litecoin to attacking them ,
since the PoW miners are selfish in motive (Greed/Profit), they will switch as they consider their ASICS more valuable than the coins they produce.

IE: Bitcoin is Completely Safe as long as the Chinese Miners Agree it is.
Just as Paypal is safe as long as their centralized control agrees it is.
In both cases we are trusting 3rd parties to secure our transactions. [In Proof of Stake , we can buy enough coins to secure our own transactions.]

You are not Trusting the PoW Consensus design , you are trusting the over 51% colluding ASICS miners to secure the coin.

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

While a PoW network can be controlled 100% of the time, by over 51% collusion,
A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.    
* Plus you can sell your PoW coins and have no effect on your 51% PoW dominance, while in Proof of Stake selling coins decreases your PoS %.*



FYI:
https://www.coindesk.com/blockchain-immutability-myth/

FYI2:
Currently with PoW, people pay a transaction fee to have their transaction included in a block.
What if the miners decided it was more profitable to offer others the ability to pay to block an address from completing a transaction, and make people bid against each other one person trying to include a transaction and the other wanting it excluded.  
By doing so they increase their profit margin, and they are selfish miners after all.

So if you did not have the ability to add transactions to blocks, you be suffering at their whims.

IE:
You own the bank a payment on your credit card on tuesday , , you send the bitcoins to their payment address on monday.
What you don't know is they paid the colluding miners a fee to delay any transactions going to their payment address for a few days.
The Bitcoins you sent are stuck in transit , just being ignored and not released.
After the time limit has passed the credit card payment is allowed to arrive , but not before you have been hit with late penalties and additional fees.

PoW attacks are, indeed, very easy in coins using an algorithm where mining is possible with ASICs used also to mine Bitcoin or another major coin. The owners of a large farm only have to mine a coin with a "matching" algorithm, double-spend, 51% it and go on to the next one.

But this is not something that affects PoW as a consensus principle. Bitcoin is safe from this kind of attacks, Ethereum too, and even Litecoin.

As most other coins are not safe from the "chain-hopping" attack, a PoS addition may have even a positive effect. While it doesn't add much security (because small PoS coins are also very weak), the attack becomes more complex because the attacker also has to acquire coins or old keys.

So much for PoW Security.  

https://cointelegraph.com/news/bittrex-to-delist-bitcoin-gold-by-mid-september-following-18-million-hack-of-btg-in-may



https://www.ccn.com/bitcoin-gold-hit-by-double-spend-attack-exchanges-lose-millions/

I consider it acceptable as a "measure of last resort", as I wrote - and as a way to dis-incentive these kinds of attacks. I also think UASF's are legit as a last resort protection from malicious miners, and both measures are pretty similar.

What @aliashraf wrote is, technically, very close to a "51% stake attack". You would need to hold at least 10% - more likely about 15% - of the currency in one moment. And in this case I agree with Zin-Zang that the acquisition and also the selling of the coins would be very difficult, even including shorting, because of the influence on price (and more so if there are rolling checkpoints and your attack window is small).

I think for a PoS attacker it is more promising to continuously try short-range attacks and confuse the currency holders about the "best chain" to follow, and then launch a larger attack, shorting a large number of coins - in this case 3 to 5% of the stake should be enough to create a lot of confusion and potentially be successful with the attack, leaving a hard fork as last resort. In a chain applying TaPoS/Economic Clustering (like NXT/Ardor) however that becomes more difficult as nodes would simply follow the chain of the big exchanges, and in some algorithms like Cardano it may be close to impossible.

I read some good points on this thread, the attack isn't easy at all, but is possible. And the attacker doesn't need more than 51% of the network to make the attack, he only need the old addys, and as you say, this is a big vuln based on the main characteristics of the PoS system.

Honestly i don't think we will see this attack, but is good to know it's possible, maybe that way developers can think about what to fix in the next update.

I agree with everything you've written, apart from the fact that it gives validation to the idea that having the community vote to create a hard fork is in any way acceptable for a currency that's supposed to be decentralised.

You purchase a dominant share of a PoS coin at higher market prices,
if you do a massive dump you crash those prices , meaning you LOST a Large % of your original investment.  
So that is a Huge Cost $$$.  

Now, the exchange that you sold on, most likely stakes their PoS coins, most do.
So all of those coins will be staking on that exchange until the buyers remove them.
Meaning the staking % of others plus the Staking % of the coins you sold on the exchange are staking.
Your old Private keys alone won't be enough to outstake your sold %, in addition to the other %.
Also other factors that would hurt your attempt is the fact proof of stake coins go dormant for different lengths of time according to their individual specs.

Never as easy as it seems , is it?  


FYI:
Even if someone crashes the price of a Proof of Stake coin,
Proof of Stake coins network require less than a few $1000 per month to operate,
and their Stakers can easily weather extremely long terms of a low price ,
as they can easily meet the monthly costs to continue a PoS coin until prices return to normal.

In Contrast :
If a PoW coin price crashes ,
PoW miners can only sustain their network for a short amount of time ,
less than 3 or 6 months on average for the majority before they have to shut down those energy wasting ASICS.
IE:
If the input cost to mine a Bitcoin is $3000, and the miners can only receive $1000 per bitcoin,
within a few months the bitcoin network will be dead as the miners can only afford to lose money per block for a Limited time.
Where as Proof of Stakers can continue indefinitely to keep their network running.
Which is why in Business a person always needs to monitor input costs , if they want to keep their business.  

*If someone ever compromised Satoshi ~1 million coin Bitcoin Wallet, they could easily keep bitcoin price in the unprofitable range long enough to kill it.*
Plus Satoshi Wallet is less than 5% of the total 21 million coin allowed, which means PoW coins are more susceptible to being destroyed by as little as 5% to make the coin production unprofitable and kill it's network, due to their insane input costs.  

*Just another reason Proof of Stake is superior to Proof of Work in the long run, INPUT COSTS to maintain their networks.*  

This is misleading. It isn't possible to just hit the sell button on a "dominant share" of a coin. The market will likely collapse on the way to the exit which may already accomplish what you wanted to do anyway as a dominant shareholder. It is a criticism of lopsided distribution, not PoS. If distribution were not lopsided, then to achieve a dominant share there was a significant cost associated, and exiting that market will absolutely not be free.

Deride weak subjectivity all you want, but software checkpoints have zero actual cost and very low social and philosophical costs to anyone that isn't beating the PoW drum (which costs billions of actual dollars every year). Transactions will be dramatically cheaper on PoS and that will ultimately decide what people use - at least as an actual currency.

Actually, it is not a mitigation by any means.

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

In this case, if the checkpoint is included before the attacker "liberates" his attack chain, it's still not a hard fork. It's simply a typical "weak subjectivity" scenario.

But if he was successful and the reorganization to the attacker's chain would have taken place, then it is. This would be similar to Ethereum's ETH/ETC fork.

However, these scenarios are scenarios of last resort. They can also occur in Bitcoin, if a miner majority (or a minority, in the case of a soft fork) attempts to block an important upgrade, for example. I think most of us remember the "nuclear option" in 2017

The goal for PoS currencies is to avoid this scenario. I think it's difficult enough already in mature currencies. (Edit: And the mere possibility - and high probability - of it to happen already lowers the EV of PoS attacks, and thus the incentives for it.)

What is funny is trusting any form of money where you have to rely on a hard fork in order to retain any sense of security.

Attacker sends request to PoS user for old keys,

PoS user agrees to sell/send old keys to Attacker only upon receipt of payment for keys.

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

That is also true for PoW and all known consensus algorithms

The challenge is to obtain a high attack cost. PoS attack costs are more difficult to calculate than PoW's. But they're not necessarily lower. Social engineering is not free.

I've got some ideas how to achieve a serious estimation for PoS (or any other weak-subjectivity-based algorithm with N@S problem) attack costs, taking into account, for example, the current cost of fake social media accounts, hacking of websites (e.g. block explorers), malware distribution and also the cost of shorting large parts of the currency. One could also fake a request for "old keys" (simulating to be an attacker) to get some numbers about how many people would accept such an offer and how much they would like to get paid.

Imo, in PoS currencies the security level (=attack cost) is much more dependant on a healthy ecosystem than for PoW currencies.

Yes everyone knew that PoS is a PoS :poo: since anyone with money can take it over

If it was 0%, we would have seen many more attacks to Proof-of-Stake currencies.

I agree though that attacking small/weak Proof of stake currencies should be (in theory) very easy, as they mostly have a a very unequal distribution and few real persons behind the "stakers". So the attacker can be lucky to find a 10%-stakeholder who agrees to sell him his emptied keys for a low amount.

The attacker buys all keys at once, or very close together as stated in the description.

Not sure I'd completely agree with that. More like between 0% and 3% would be a more accurate estimate.