Security analysis of PoW/PoS hybrids with low PoW reward
Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.
A pair of examples:
Mintcoin scrypt diff 0.1 (vs Litecoin 5677)
SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)
At such difficulty PoW blocks can be mined with speed of light.
Attack I
It is possible to build sequential chain of PoW blocks to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.
Is it hard to orphan the chain of PoW blocks?
One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.
If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.
This dramatically increases chance to success in comparison to pure PoW attack.
Ability to confirm a transaction and then orphan confirmations is ability to double spend.
Summary: double spend attack requires 1 PoS block and low hashing power.
Visualization: http://i.imgur.com/Pyrw75q.png
Attack II
Current implementation of stake miner gives up if median time of last blocks is in future.
This temporarily makes the whole network PoW-only and opens well known 51% PoW attack.
Attacker needs only 6 of 11 last blocks.
Successfully tested on Mintcoin: no PoS blocks from 203231 up to 203441, more than 1 hour of real time.
Jump to: