Bitcoin Forum

How hard would it be to perform a 51% attack on a pure POS coin?

I hear people say "it is allmost impossible since you need to own 51% of the coins" but is that really the case?

Isn't it that one should own 51% of the current available coin age at any given time?

Lets say we have a coin with these parameters:
Total coins: 100 000 000 (virtually all in circulation)
Min coin age for staking: 24hr
Max coin age: no upper limit

Now, how mutch of these coins are elegible for staking and in wallets that is up and running at any given time?
I have no numbers but lets estimate 20%.
What would the avarage coin age be for these coins at any given time? Estimate 3 days
That gives a total staking-power (coin age * coins) at any given time of 60 000 000

If i transfer 1 000 000 coins and leave them in my wallet offline for 123 days then i will have 51% of the total staking power hence make it possible for me to perform a 51% attack.

As i said, i don't have any real numbers just estimates and they could be way wrong but if the coin doesn't have any coinage upper limit i think this is a real risk...

You need a percent of what is, at that moment, actually online doing PoS mining, I think?

Also, it is not coinage but Coin Age that you need. Not number of coins but number of coin-days, so to speak.

Two coins you have had for one day each is as good as one coin you have had for two days type of thing.

-MarkM-

Yes, thats exactly what my example is all about. I might not be very good at explaining.....

Also, 20% of coins being online might or might not be a reasonable guess.

If most people leave their coins in web wallets and exchanges and such, the vast majority of coins seem likely to be online at any given moment.

Whereas if everyone likes to keep their own coins at home on paper wallets and only fire up a client once every [max coin age for stake minus time it takes to use them as stake once fired up] maybe most will be offline at any given moment.

A lot of people in this forum mention that you only need to fire up your wallet occassionally for PPCoin-derived PoS coins for example, and even have sometimes written that once they do fire up a wallet that has aged a while like that it only takes half an hour or so to do the stake thing.

If those kinds of time apply then maybe that would mean coins only being online half an hour to an hour in each 30 days or so... Maybe worse if max coin age for stake is more than 30 days.

If max coin age for stake is 30 days presumably someone with 2/30ths of the coins (1/15th of the coins) should be able with high certainty to get two blocks in a row "on demand" each 30 days?

In the extensive discussions (of actually expected to work PoS systems, not of whatever Sunny made up out of his own head without - proudly without - even reading all that research and discussion), Cunicula calculated for one set of constants for his proposed system that a person with some percent (I forget the exact percent) could do a double-spend once a year but said that would not matter because the amount of wealth any one transaction of such low value that the merchant would not wait an extra number of blocks to confirm would be so trivial that the fraud perpetrate-able by that method would be trivially tiny compared to the normal amount of fraud merchants are long conditioned to expect by standard things like credit cards that they all already have no qualms about using.

-MarkM-

Yes but there are even coins with NO MAX COIN AGE.
for them it is a huge problem i believe since you can have a small number of coins stored even years and the when you open your wallet you will have alot of staking power

Even with those, merchants presumably would calculate how many blocks of confirmation they feel they should wait based on how valuable the transaction is.

An info for merchants site could provide a ticker showing the maximum number of blocks in a row the largest most ancient wallets combined could expect with good certainty to generate in a row, and set the number of blocks they want to wait when selling a cup of coffee or an economy automobile or a fleet of cruise ships accordingly.

("Hmm, a fleet of cruise ships, that will put a big dent in their coin-age, and each day I wait before sending the ships those coins age in my wallet not theirs, how many days do I need to wait before I am safe if they own all the coins other than those they just sent to me? " ;))

(Plus also "I happen to know Mount Fox controls those coins over there, and I trust them, and I also know my rich grandpa owns those there, etc, so realistically the most my customer could own is X many...")

Still, unlimited coin age does sound like every few generations an almost broke family could double-spend a meal out of someone or something like that at least...

In real life though credit card fraud is so horrendously huge that banks and credit card companies try not to let the public find out jsut how huge it is, lest all confidence in their system be lost. So maybe Cunicula might say a few people getting a free rolls royce every few years by double-spending is trivial, and someone might add that repo corps would re-possess the cars anyway, so big deal not a problem?

-MarkM-

I'm not sure I understand how blocks are generated in PoS, but even if you are right, it can't be that easy

First, given that it is actually a serious coin, owning a serious percentage of the total is quite hard, unless you are one of the founders of the coin, or very rich and seriously invested in it.
Even being offline for long as you described requires a serious stake and therefore investment

Trying to cheat like that would immediately lead to the coin losing credibility and possibly dieing. So you would quickly have to dump your holdings before the freefall.
Not to mention that the dump alone of such a major stake would be enough to cause a freefall. So what exactly would you stand to gain by undermining your own property? It just doesn't make much sense in the end

You would have to be malicious and actively trying to hurt the coin, and have spent a small fortune to destroy it.


Now of course this is alot easier if the coin is small and unpopular. But don't PoW coins suffer the same if not worse?

I can see the incentive in cheating in a major PoW coin provided that you have the power (though very hard). You might actually steal some, double spend or whatever and get out fast. Not in a PoS though

Most POS coins do have a coin age upper limit so to attack them would require a large percentage of the total but those with no upper limit wouldnt require that mutch. All you have to do is wait long enough.
It is like building a larger and larger mining rig without doing anything...
 

Most plans to profit on crashing the coin's value involve finding a sucker who is willing to loan you coins so you can "short" the coin, or bet against you that the coin will not crash.

Cunicula suggested that shorting is not a problem because any idiot who offers shorts will learn in ha ha pun coming up... short order... that offering such a short is stupid.

But in theory you buy up some number of the coins to get stake, and do a short on which you will profit by more than that stake.

If you can get some idiot to provide you an actual loan of coins you can stake the borrowed coins themselves in addition to any stake you also directly buy.

But probably a more usual method of "shorting" does not even involve anyone actually owning the coins to do it, since lots of sites that let people pseudo-short things let them simply wager that the thing will or will not go up or down in value.

With such a capability on hand, you could buy X number of coins and let them age enough to do your double-spend or whatever, then when ready to do the attack go make a wager worth more than the coins you have at stake that the value of the coins will go down. A lot of betting sites let you just do a binary wager, up or down, no need to even involve how much they go up or how much they go down.

So you then do your attack and, if it succeeds, make sure it gets as close to front page news as possible.

Using simple wagers it might not be as hard to find idiots willing to enable you to do in effect a "short" of the coin, since you do not need not obtain a short from a professional shorting agent but could simply place a wager on BitcoinBets that coin X will whatever by whenever and let any sucker fanboi bet against you that it will not, so I am not convinced Cunicula is correct that  even if you find a sucker once the industry will learn not to offer shorts in PoS coins a second time.

Also, isn't the ability to short considered kind of essential for currencies, assets, etc to go mainstream? If no one would be fool enough to offer shorts on a coin, wouldn't that severely limit the potential of that coin to ever be considered a serious currency or asset?

Also if offering loans at all, just in case the borrower uses them to do a short on the coin, is dangerous, doesn't the lack of ability to borrow a currency kind of limit the chance of that currency ever being taken seriously?

-MarkM-

It would take 30-40 BTC and 180 days waiting for one pretty popular coin at the moment.

Yes they do and that is allready well known. But when it come to POS people say it is so very safe but i think i just found out that it isn't that hard to double spend..


Why not in POS? Thats exactly what one can do this way...

I can see now why allmost all pos coins have a max coin age.
No max coin age = big risk

hmm ok you have 51% of power what now ?
you will lose that power after next POS block...
Block need 10 confirmations...
so you need 10 blocks in row to get confirmed double sped ext...
There are also other parameters like weights all is not that simple like you describe.

In POW you own network all time long with 51% hash power...
In Pos with coinage you lose that power in next block i don't think is so big deal.

Right, so the guy with one 51% saved up can doublespend a free one-confirmation product out of someone.

Cunicula's argument was basically that one product each year or whatever that is sold at only one confirmation, or one two-confirmation products each twice that span of time, or one three-confirmations product each three times that span of time etc is tiny trivial amount of inventory shrinkage compared to what the real world currently experiences as business-as-usual.

The more the spend is worth, the more confirmations the seller is likely to wait before handing over the product.

Plus you still might get arrrested by security on your way out of the mall with the loot.

-MarkM-

To perform a DOS attack on a blockchain-based cryptocurrency, you don't need to generate all of the blocks---you only need to be able to generate more blocks than all of your competitors combined in order to create the longest blockchain. Clients accept the longest blockchain as the valid blockchain.
Since a 51% stakeholder has a faster search speed, he will (on average) be able to generate blocks faster than all minority stakeholders combined. That means his blockchain will always eventually grow longer than any other blockchain, allowing him to unconfirm any transaction included in the blockchain by the minority stakeholders.
This is not an unknown problem. The Peercoin website says, "In a hybrid proof-of-work/proof-of-stake system, an attacker would have to possess 51% of mining power and 51% of all coins."
In a pure POS system, only a 51% stake would be required to perform an guaranteed-to-succeed attack.

51% of actual coins, yes. 51% of coin age, though? Maybe not?

Cunicula preferred though that staking cost work or me enhanced by work, not the same thing as having two types of blocks, just a mechanism to make it cost you something to use the same stake on a billion different forks so you could pick whick fork to go with based on which one you did get a stake block on.

(As pure stake right now, in Sunny style PoS, doesn't really cost you anything to run several forked chains in parallel, on each of which you have your stake of coins to work with.)

-MarkM-

stake = coin age

You are claiming that if you have 51% of coin age you endlessly win as long a chain as you choose?

I think not, because I think you lose the age when you use it as stake.

You can use it on multiple forks in parallel, but not in series one block after another.

Stake your 51% of all coin age in one block, pow you now have no coin age left...

Modified of course if not all coins are online so your 51% is not of all coin age that exists, as then you maybe could ahppen to have more coins offline that happen to be another 51% of what is left online.

But if you have 51% of all coins, you can age more than other people so can always have more coin age being created than everyone else all put together. You still lose some of it each time you actually use some of is stake though. Or you should, anyway. If you don't that would be a problem.

-MarkM-

"In a pure POS system, only a 51% stake would be required to perform an guaranteed-to-succeed attack."
I know only BC but there you need 10 confirmations and still you have only chance that you will get POS mined blocks.
if you have 51% of all coins chance that you get 10x POS block in row are even smaller.
Chance is (0.51)^10 ~0.1% chance of succeed... but even with that you have weights and other parameters which are making attacker life harder to get 10 confirmations in row.

Okay so spawn/clone a million copies of the blockchain, or some number of copies anyway. Trillions, billions, hundreds, tens, whatever your stake farming centre can do.

Pick to build on only the copy in which whatever chance of getting the next stake block happened to fluke out for you to get you the block.

Make as many copies of that resulting blockchain.

Etc.

By what proportion of the number of copies does that increase your chances aka multiply your "effective" stake?

-MarkM-

I read a little deeper into how it works and i can see now that my example is wrong.
You need 51% of the coins to have a chance to allways have the highest coin age. Highest coin age in one shot will do nothing.
case closed, POS is still secure :)

Stake/weight/coinage is connected with adres and written in blockchain.
Once you hit stake you are destroying coinage/stake and and power for all copies at once.
You will use all copy only once.

No, I am talking about the chance of being the user who gets the next stake-block.

In some of your copies of the blockchain+wallet some other user will get the next stake block, if you only stake for example 1/10th of your coin age on a block (because of wanting to get 10 blocks in a row, for example).

On all the copies where it is not you who gets the next block, well those copies never happened. Your "real" attack chain you pick to build next block on will be one of the copies in which it was you who got the next block.

So for example suppose you have ten times enough coin age to get a 1 in 1000 chance of winning the stake block.

You can thus afford to try for ten blocks in a row, with 1 in 1000 chance each block.

Now make 1000 copies of the chain, so a thousand of "you" are, in secret, trying for the next block with 1/1000 chance each.

What is your chance then?

Now suppose you make 10,000 clones of "you" all in parallel.

Etc.

The fact it does not cost "work", just a bunch of disk space and a little bit of computation, per copy you run in parallel, is why Cunicula wanted "work" to be somehow involved in using your "stake". Not separate blocks even, just make it cost to use stake. In at least one of his suggestions for example, the weight would be some function of work and stake, chosen so it would take a lot of work to beat a little stake but pure stake with no work could be beaten by less stake with some work.

-MarkM-

You always have factor of others wanted broke your operation.
1/1000 x1000  = 100% chance wont never exist in real world because there always will be others with some coin age or exchange ext and those factors will cut your chance to 50% maybe less per block but always to have 100% chance you need shut them down others from network.
It is no so easy even with such "bot" net like that you need to be majority.

https://en.bitcoin.it/wiki/Proof_of_Stake

"Double-spending prevention

A good level of security can be achieved by waiting for a block to be cemented. By that time it is safe to assume that the network recognizes this block and will not easily switch to a different block, even if a longer branch is presented.

A more authoritative confirmation is enabled by waiting for a signature block. Once a block achieves a majority (and some more time is allowed for this majority to spread in the network), it is extremely unlikely that the network will ever switch away from this block."

______________________________________________________________________
So when you trying get coin age up while being off line and not stacking:
Coin-age_t = Coin-age_t-1 + 1

You are losing weight weight - is something that can allow you have higher chance to mine POS block.

New weight = 0.9 * Old weight + 0.1 * Balance
If a signature is not provided by the address in a signature block, its weight decreases:
New weight = 0.9 * Old weight

Coins with stake with big coin age aren’t majority of coins which will be used to confirming operation they can refuse fake blockchain
you still need majority of coins to confirm double spend.