Bitcoin Forum

A block chain's only real job is to give transactions an official order.

And that is surprisingly difficult to create in a decentralized context.

Basically, the root of the problem with a pure proof of stake coin is the following scenario:

Say you just joined the network. And you try to download the blockchain but you're getting two very different stories:

In one story you have 49% of stake owners telling you they've been forging blocks for months despite the fact that the other 51% was just completely absent and not participating.

In the other story you have the other 51% of stake owners telling you the opposite, they've been forging a completely separate fork for just as long and it's the other 49% that weren't there.


So, how can something like that even happen? Well for one, there could have been some kind of network split where the respective nodes could not communicate with each other causing both halves to think the other half was simply not doing its job. Another possibility is that one of the groups is lying. One of the groups decided to wait for months before forging a whole lot of blocks all at once and spread them through the network.

For someone just now, joining the network, there is no way to tell whether it's a network split or if the 49% are lying or if the 51% are lying. But that will merely allow a cartel owning 51% of the blocks to be able to rewrite history at will (e.g. changing the order of double spends months after the fact). They may even be able to indefinitely delay some transactions that for their own reasons they just don't want included in the blockchain.


Now, from here it might seem like we're at an impasse. But not quite. Let's disregard the possibility of a network split for a moment and look into trying to fix the 51% stake attack.

Everyone who was joined to the network during the part of the attack where the 51% stake holders were hide, knew that it was actually the 49% who were being honest and working and that the 51% were not there. As soon as the 51% starts retroactively releasing their blocks everyone already on the network knows that they're lying. They could do all sorts of things to that 51%: refuse to propagate their fake blocks, include the blocks in the real fork to prove their dishonesty and punish them financially, etc..

But that doesn't help the newcomer at all. Everything that the 49% is saying in their own block chain about the 51%, the 51% is saying about the 49% in their new fork. Now, if the newcomer has a friend who was online at the time of the attack, then he'll know who's lying. And that's definitely an option, is the pizza place down the street connected to the network 24/7? Then find out which side they're on. Or maybe you have friends who were online at the time? The coin's client could be user-configured to trust certain accounts. And for those who have no one to trust, it can be pre-configured to trust a set of impartial observers and a fork would automatically be chosen if all trusted accounts agree on the same fork.

So, while yes, this is a solution. It's a pretty bad solution. If you're using the pre-configured set of impartial observers, presumably you're trusting the client software you download, so you should be able to trust the impartial observers that came with it. But things can change, maybe you can trust them today, but not 10 years from now.

But there's another problem. Some types of software simply can't trust anyone. For example, if you have a smart contract running on Ethereum and it needs to gather the latest authoritative information from your proof stake coins' block chain, it will have no way of knowing which block chain to pick. Unless you preconfigure it with a trusted observer, but that ends up centralizing the whole thing defeating the point of putting your smart contract on Ethereum in the first place.

Don't get me wrong, compared to the alternatives (PoW, or PoW+PoS hybrid) this is a great blockchain maintenance system. But it's not perfect.

So let's say trusted observers were not an option. Now, we're back to having a large chunk of the network being honest people who know exactly what happened, and 51% of stake holders actively lying to try and affect transaction processing and newcomers who have no idea which is which. But this time they can't trust anyone to tell them who's lying.

But the newcomers are online now. If the 51% wants to bring the newcomers over to their side, they better behave.

But why behave now? What's to gain from fooling a few newcomers?

How bad for the coin will the resulting fork be? Can those account holders who know what happened just surrender to rejoin the fork? Is there a mechanism by which we can make sure that the 51% must agree to the surrender and that the surrender comes with certain conditions that will ensure that very little damage is done in the end?

In the end, we're not really fighting over who's right and who's wrong. We're fighting to make sure that the block chain suffers as little damage as possible. We also want to find a way to make such an attack inconvenient and expensive for the attackers. If we can be sufficiently successful at those two goals, there might not be any reasonable motivation for someone to pull off the attack. It may already requires them to acquire 51% of the stake of the coin, the loss of value from a successful attack is already a pretty strong incentive.

So that's where I'm at. If I had to pick a favorite solution right now, between a 51% takes all and a trusted observers, I would go with trusted observers. Especially with a new coin with a small market cap where it could be quite easy to buy up the necessary stake.

Of course, the network split that I disregarded needs to be taken back into account somehow. But network splits might be easier to resolve as they most likely won't last longer than say, 60 minutes and all parties involved are interested in a best case resolution.


I assume, I'm not the only one who has thought of these things. If anyone know anyone else that might have gone further or links for further reading, it would be much appreciated.