Bitcoin Forum

Since I'm not a developer nor a hacker I cant modify wallets to do such an attack, but here's the concept, which may not be right, but crackers may try.


We're going to exploit low PoS difficulty and prominently it's low for even 100% PoS coins. Like for mintcoin it's 0.243, even for popular and old coins like PPC, the difficulty is 10.

First let me explain the significance of difficult in PoS which's very much similar to difficulty in PoW. But don't assume low PoS difficulty means higher rate of returns. Each block gives the miner variable rewards depending on the current difficulty which predicts the probability of the coins to mint a PoS block. A low difficulty means the coins will easily be able to mint PoS blocks, since the number of PoS blocks generated by coins are frequent, the block reward will drop cause the interest rate is capped. In other words, when difficulty is low, the coins will have to wait less to generate a block reward, i.e. the coin will have less age so the block reward will be low. Similarly if the difficulty is high the block reward will increase cause the probability of the coins to make a PoS block will be less, so PoS blocks generated by the coins will be less but the interest rate has to be maintained at 20%; so to compensate for the lower block rate, the block reward will increase.

In PoS, when a node receives a number of coins all in 1 transaction (call this transaction X and the no. of coins in the transaction as A), all of these coins will be used to mine a block. The more the no. of coins in X, the higher the chance of hitting a block. The older transaction X goes the higher the chance of hitting a block. For coins which were received in another transaction (apart from X, call this transaction Z) but to the same address will try to mine a block separately from Z; the wallet will use Y along with X independently to mine blocks.

Suppose the probably of mining a block for X is within x days, after mining, the coin age renews to 0, making it ineligible to mine a block till it's old enough to mine blocks again.

We're going to compare the set of coins X which were received with in a single transaction to a no. of transactions the size of each being 1 coin, but the no. of transactions is such that it results in A no. of coins (i.e. A no. of transactions). This mean for each of these coins, the wallet will try to generate a block using them separately. Let's call this set of coins Y.

The probability of one coin to generate a block is x/A (since X has A no. of coins); for all of  A no. of coins used together, the probability to generate a block is (x/A)*A = x. So Y has the same probability to generate a block as compared to X. Once a block has been mined, the age of the single coin used to mine a block becomes 0 and it comes ineligible for mining, but all other coins are still eligible for mining. Now the probability of Y to generate another block is (x/A)*(A-1) which is almost x (call this changing value y, i.e. y is the current mining power of Y after a no. of coins's age has been reduce to 0). Depending on the size of A, the this value of y will almost be the same as x for (x/A)*(A-1), (x/A)*(A-2), (x/A)*(A-3)... (x/A)*(A-100). The larger the value of A, the closer is the mining power to x as a single coin will be less significant for a large value of A.

So Y has lot more power to generate blocks as compared to X with the same no. of coins. The attacker with possession of Y can wait for an attack till the coins become older which yields better probability of blocks. (update) In fact, the probability of generating a single block by splitting stakes (Y) is more effective than the regular X method. The reason being, as the no. of coins increases, the probability of hitting a block does not increase linearly (see this (http://poscalculator.peercointalk.org)); it's increment rate decreases. So the network difficulty is lower. But if you've split your stake (as with Y), the probability of staking a block will increase linearly, cause each coin has it's own staking instance. It's stake is calculated separately.

In a 51% attack block mining power is exactly what you need. You try to fork the block chain and try to make the forked chain longer than the main chain and once that happens all valid transactions in those chains will be lost (double spending). So when it comes to hashing power, PoS is more vulnerable to PoW.

It's a fallacy that you need most of the coins in a PoS coin to attack it; it all depends on the difficulty. You can do an attack even if you have less than 1% of the coins. It's all on the difficulty.

If you do a mindless criticism (criticizing me without any reason or calling the whole text gibberish without stating a reason), realize that it's clear that you own a huge stake in a 100% PoS crypto and are planning to dump it at a pump which this article may reduce the probability of (if it is true).

If you don't believe me, very well. I got no issues, but I'm always open for constructive discussion. As of attackers, they may try this and succeed while you believe this's a lie.

Curious, I have a few qns:

1) coin-age is no. of coins * number of days (age)? I am not sure how it is implemented but there are 2 points:
    a) age is limited depending on the coin's implementation
    b) max coin-age depends on the amount of coin you have at max age?

2) 51% attack assumes you can carry it out continuously? that is, more > 1 confirmations?

Yes, that's the coin age as per my understanding. But in this article, when I talk about age, I talk about the actual age -- the amount of time the wallet has held the coin.

a) If you believe this (http://poscalculator.peercointalk.org/) calculator, as the coin becomes older (age is not the right term here) the probability of hitting a block increases and yes there is such a limit of 90 days. Also rate of interest per year (not per block) is limited. If you've not hit a block for a long time (the coin is very old -- older than 90 days), the rewards will be higher to maintain the ROI. This factor does not have any limit of the age. But this will not limit the attack vectors in any way.

b) This question is not clear considering the above discussion.

2) Yes, absolutely. For each block mined, only 1 coin's age is consumed. We have plenty of other coins in set Y. The bigger the size of A the longer you can attack.

From: http://www.peercoin.net/minting: "The maximum age a coin can have is 90 days, after this the coin does not age further."

In other words, you are saying the implementation is not as described?


if there is a age limit, at max age, coin-age depends on num of coin


yes, assuming no age limit, we can have 1 coin per transaction and for each coin of great age, it is possible for multiple block finding.

Sorry about that, I modified the above post before you read it.

As per the calculator and the link you provided, the coin age literally mean the coins age, not no. of coins * days the coins has been held.


If you see that calculator, if you increase the no. of coins, the probability of hitting a block always increases regardless of the amount.


No, it's not assuming that. I've specified this --


Edit -- I've not considered TX fee which's something PPC specific. PPC is not 100% PoS.

I'll think about TX fee also.

For 0.01 TX fee, the attack will be made just 1% more expensive.

So it doesn't matter.

Interesting, can others more experienced confirm? Will this also apply to hybrid PoS/PoW?

Agreed this needs more discussion.

I don't think anyone knows how secure 100% POS is based on all the peercointalk forum posts i've read

Perhaps can check with Jutarul?

Ref: https://bitcointalk.org/index.php?topic=131901.0

Looks like this vulnerability is known since December.

Humm... I think this attack is different. The vulnerability in this thread cannot be fixed like this. The design of the coin has to be changed for it to be fixed.

The link just increases the no. of trials the wallet does to generate a valid block, were as this increases the probability of a block by splitting the stake.

As far as I can see, this does not apply to Nxt, since there is no "aging" of coins after they forge a block.

Interesting just because i know no one outside of hard core Crypto is going to understand any of that - can i just state it in plain language and you tell me if i far or close to the mark?


PoS  means Proof of ownership like owning a Bond. + interest.

When you hold units of crpyto they age like bonds and mature giving back an "interest" stake -  

DE_logics is basically saying  or theorizing that under certain conditions  if you had:


10 Bonds (ten pieces of interest bearing paper) each worth 1 unit + 1 unit of interest.

you would earn more net interest verses:

One single 10 unit Bond + its interest.

* even if the interest is meant to be equal - i.e the 10 bonds should equal the exact same net return as the single Bond because they are the same units net worth and the interest rate is "fixed" by whole the system.

and in this way, this could be a flaw in PoS  because someone could split up their bonds (something you can do with crypto)  and generate enough interest to control the whole game.



how did i do ?

if its on or close to the mark i will post it back on the other thread as it is relevant -

From reading it, it seems similar.

Basically, when you find a block - the coins in the transaction that were used to mine the block are all reset to 0.

If there is less coins in the transaction, there are less coins reset.

However, doesn't the luck increase exponentially rather than evenly, such that a transaction with 4 coins in, is far more probable than 4 single 1 coin transactions to mint a block?

Someone should do this practically? It would be a huge turn off to PoS, this is pretty big and should be fixed?

No no, that's not the vulnerability. That issue got taken care off in the first release of PPC. That's why I tried to explain here --


In the illustrated attack the interest generated will be the same, but the rate of generating blocks will increase dramatically.

i can confirm that the OP is on the right track and it is possible to fork a coin with only a few stake blocks but there are far more reliable and effective ways of making a coin fork

I have been running a POW/POS coin for while now and i have seen a lot of ways people try and attack coins i cant go into how its done but a lot of the coins are no way near as secure as people want you to think 

Yes -- this's close to what I'm trying to do. The luck remains the same with 4 single 1 coin transactions, but after a block has been mined, one of the coin's age will be consumed and it'll not be available for mining -- the rest 3 are still available for mining.

So that increases the effective hashing power exponentially and for a long amount of time.

Of course 4 coins is just an e.g. I've already said --


In this e.g. A = 4 single 1 coin transactions

And x = approx. time to mine a block when A is received as a single full transaction.

fixed

It does matter. The 0.01 PPC tx fee will dramatically limit your attack power. You have to pay 0.01PPC tx fee for each smaller unit of PPC when you divide each PPC into smaller unit of PPC, so you can't divide one PPC into unlimited smaller unit of PPC.

That comes out as 1% overhead. 0.01/1*100 = 1%

You cant stake mine with balance under 1 coin, so that's the minimum you need to split.

You can't assume the minimum would be adequate.  You may need to subdivide into millions of separate transactions to provide enough leverage for this to work.  And then whether it will work depends on the specific implementation of proof of stake you're talking about.

I've heard that in peer coin that the coin age consumed plays a role in determining the preferred chain the network will follow, which may make this attack ineffective (if that's staking coin age, since you would consume very little in your attacking chain with this method), but I'm not sure on the specifics.  Someone who knows the details on the code would have to weigh in.  Since most PoS coins are forked from Peercoin, this attack may not be an issue.

There's also a "PoS 2.0" that's supposed to be coming out in a while for BlackCoin that addresses some PoS security issues, but not sure in particular what those issues are.  Might be more info coming out later.

I don't know much about the details of other PoS implementations, but I might say something about Peercoin.

The coin age that is used for calculating the probability of successful minting is capped at 90 days.
So you can for sure raise the probability for successful minting subsequent blocks by splitting the coins to separate transactions (4 coins in one tx allows minting one block, whereas 4 coins in 4 tx allows minting 4 blocks), but the probability for creating each of the PoS blocks stays low and is far from "owning the block chain" - at least if you have only a small share of coins.

Like you said in your initial post: It's all on the difficulty.

At the current difficulty it's unlikely to mint a block with a tx that contains only 1 PPC. Even if you have reached the max. considered age of 90 days, the probability for successful minting is roughly 1% in 3 months (at diff 10).
If you have 100 tx with 1 PPC each, you have for each of those a probability of 0.01 to succeed and 0.99 to fail.
To fail at minting with all those tx you have 0.99^100 = 0.36
So you have a chance of of 36% to mint not even one block and a chance of 64% to mint at least one block.
And even if you have an almost similar chance to mint more than one block in those 3 months, it is quite unlikely that these are subsequent blocks (in 3 months you have approx. 13,000 blocks of which the majority are PoS blocks).

If you do the math with bigger numbers, you can for sure push the probability higher and higher. But you risk more and more money the more coins you want to use for this attack...

After successful mininting the coins need to gather an age of at least 30 days before they can be used for minting again. And after successful minting the used coins need to mature for 520 blocks before they can be transferred.

Assume? It's the reality. In PPcoin (and in most PoS cryptos), you're not eligible for PoS mining if the coin's quantity is less than 1. They attacker may use 2 even, but there's no point in doing that.

To see if this attack will work on not depends on the situation (current difficulty) and not the design. All 100% PoS coins are vulnerable and hybrids are vulnerable to a certain degree.


Coin age used to mine blocks; I don't understand for what purpose it will determine what chain to follow. I mean, chains get forked for genuine reasons (network latency) and all chains will have to be respected for things to work and that includes the attackers chain. There's no way to determine the new forked chain being formed is by an attacker or not.

If this concept fails, you'll not get a return of 1% per annum. All coins in the wallet are treated equally as all coins in the network; each coin doesn't prefer a specific chain.

Of course you cant kill PPC with 100 coins, you need a lot more. It appears PPC's POS staking is distributed, so it's hashing rate is higher. But you need clearly much less than 51% to attack the network. Besides 1% interest is hardly any incentive to hold and mine PoS blocks.


That's the interest you're talking about. That's only a small fraction of what coins he holds (a few blocks worth). The attacker won't care about that. He'll be concerned about selling his already confirmed balance.

The text below also applies to PoW also --

When one tries to fork a chain, he modifies the wallet to fork from a specific block and he'll be the only one mining from that specific block. Even if other miners add in, it's good; that'll help further in elongating the chain and making a double spending successful -- that's what the attacker wants. Other miners cant determine which chain is the attacker's and which is the good one, only the attacker know about it.

The attacker can start forking the chain from the current block minus 2 (forking from the 3rd latest block). By the time 3 other blocks are generated (and the attacker's transaction is confirmed), the probability of the attaker's chain overtaking the genuine chain increases. Once the forked chain is long enough, other miners will now mine on the attacker's forked chain.

As of risks of investment, first a fork in the block chain takes quiet a lot of time to determine. The people who's balances went missing are the ones who are complaining and it'll take at least 6 hours for their voice to be heard and the developers to respond to it. The markets will respond at least 2 to 3 hours later (after potential investors and holders will be made aware of it).

So in 8 to 9 hours the attacker can easily sell his coins for something else. All he needs is an hour for the purpose (confirmation time).

I don't know how that's handled at other implementations, but at Peercoin the difficulty of the PoW and the PoS process are automatically adjusted to let the network create 1 block each 10 minutes - allow me to ignore the PoW blocks in this scenario.

For security the PoS process is relevant, because the trust of PoW blocks is one (which is negligible compared to the PoS block trust of billions at the current difficulty).
The "attacking chain" lets the network adjust the difficulty in "his/her fork" by having less success in minting (due to less coin age in use than the "regular" chain; the scenario is based on an attack with only 1% of coins).
The difficulty gets adjusted and the outcome is 1 block each 10 minutes with less trust than in the "regular" chain (because the trust depends on the difficulty).
The decision which chain to choose in case of forking is based on the chain trust and not by the length of the chain.

Result: that forked chain will not be chosen by standard clients.

And this is only a technical evaluation. Evaluating that attack economically is another thing that might question the "success" of such an attack - assuming it is done for economical reasons. It can for sure be considered that some entity simply wants to "kill" a coin.

But let me try the economical evaluation. Say you have 1% of all Peercoins (random example of PoS secured coin ;) ).
You manage to successfully double spend. How many of those Peercoins have you double spent? Half of it?
Say you could successfully double spend half of your 1% Peercoins. Some (only a few) have been used for the attack.
You need to sell 0.5% of all ever created Peercoins in a short period of time (before the attack gets recognized and some kind of panic sell might occur). 0.5% of all Peercoins is a little more than 100,000 PPC. If you have a look at the market depth at even popular markets like btc-e, you see that it'll be a problem to sell those PPC in a short time without a big loss.
You might have double spent a lot of PPC, but you have lost most of the value of the 0.5% you try to sell.
The math would be better if you could double spend more than just the half of the coins. But in that case the attack becomes significantly less likely (and I still doubt you can exactly and deliberately pull off that double spend with only a small share of coins at a chosen point of time - the double spending requires the control over the point of time, though...).

In the end it is neither technically nor economically inviting to try such an attack.
You need to spend coins.
You need to successfully make a fork of the block chain the chosen one at exactly that point of time (like explained above not only not likely but rather impossible (remember the chain trust!) under the given circumstances).
You need to spend the coins again.
You need to sell the remaining coins in a short period of time.

One thing that could be considered: depending on the value of the transaction one might want to wait more than only 6 confirmations before the transaction is considered successful.

You're missing the point of what I said.  Since you can't divide into less than one coin, that limits your ability to leverage this attack vector.  So the point is you can't just assume you'll have enough leverage for an attack, since there's a hard limit.


...To prevent attacks like the one you're suggesting (and others).  I am referring to coin age spent on staking blocks, not coin age held in wallets.  Using only coin age spent would obviously be a bad idea as well, so I'm guessing it's some combination of block length and coin age spent taken into consideration, but I don't know specifically what is used in PPC or BC.


I'm not sure what you're even talking about here.  Of course each coin doesn't pick its own chain, the wallet will use the protocol's rules in determining which chain to follow, simple as that.  I think most coins use something different than the simple "longest chain" these days though, even bitcoin factors in work completed.

I don't believe the point of this attempted attack is to lower the difficulty, but to have more coin age than the rest of the network (due to the fact that very little coin age is lost with staking blocks).  So, if the attacker continues to hold more than 50% of the coin age as he mines blocks, the difficulty would actually increase.  However, there may be other factors taken into consideration that would prevent this, and for PPC in particular the 3 month maximum coin age would severely limit the attack.

You're talking about the difficulty retarget algo.


So difficulty adjustment every block may not be good enough.

Unfortunately PPcoin's difficulty retarget algo has not be susceptible to multipools and sudden spikes in difficulty, as a result it's not as refined as compared to PoW coins where we have a lot of innovation going on like DGW, KGW, digishield etc... etc... etc... so the possibility of an attack is always lurking cause the difficulty retarget is not swift enough.

As a good e.g. you can see Entropycoin who's pastblockmass in KGW is 2 -- which makes it 51% resistant.

Also '1%' is just in the subject to explain in short "a small amount". The attacker can wait till 90 days before an attack to get maximum coin age.

One can buy a lot of coins to kill PPcoin clones like Mintcoin, blackcoin etc... but PPC is too expensive to just do a mindless attack. There has to be benefits.


Selling coins in an exchange is based on buy orders. Why do you think it'll take time? Sending coins across multiple exchanges hardly takes any time (except confirmations). Also an exchange may not always be used to sell. It can be done in private, all in an exact timing.

If he sold the first genuine batch of PPC at 100% price, he'll atleast get 60% on the second sell. The attack may be timed -- when big buy orders are in place to increase profit.

The attacker may buy PPC at low prices again based on timing (5 or 6 months ago for e.g.), and sell when the prices are high to further increase profit above 200%.

Again 1% is just an e.g. 100,000 PPC is quite a lot for the record (390 BTC).


PPC takes an hour to confirm a transaction; that's too much time. No one has that much patience, especially exchanges which require swift action in volatile markets.

So confirmation times maybe taken as a block, but never more than an hour. As of large transactions, I've never seen an exchange which increases the no. of confirmations based on the amount received.

Yeah, that's obvious.


I already mentioned it.



That's going to preventing people from mining as a whole. People keep money in their wallet to spend anytime they want. If mining prevents that, they wont mine at all, especially for 1% interest rate. I mean, waiting for 4 days to spend coins is unacceptable!



Longest chain is the only option. A wallet, or any person does not know if the forked chain is cause network latency or an attack. You cant be sure even after an attack unless someone shows someone benefited (i.e. this requires human intervention).

The attacker can compensate with more balance.

Actually it depends all on the difficulty.

If you think -- the average age of the coin the network has online will be less, cause no one is just going to keep his wallet offline just to age coins. Only the attacker is going to do that. So that might be an additional advantage to the attacker.

PPC has been replaced by darkcoin, which's again pointless (http://delogics.blogspot.com/2014/05/darkcoin-review.html).

Why do you feel the need to post a link to this thread on EVERY PoS coin released? Go fuck yourself. Seriously, go sit on a machete.

nobody will believe u before we see u in action,so u ve to kill a coin, choose one and kill it  ;D
or u can create a POS coin, and make a sample...

while the op has a valid method, another method or useful variation is to exploit this line in the source code

https://github.com/numbercoin/Numbercoin/blob/master/src/main.h#L54

I am posting this for awareness and security for those running coins, in particular proof of stake.

I am not going to give details. Anyone who understands what is going on with the code will know exactily what this means.

I am certainly not going to go about attacking or exploiting coins at random. 

I see nothing productive in that.

Just let them die naturally, support coins you like, ignore the others...........

Now if I found out someone running another coin was trying to attack one of my projects...... then I may feel differently......

There are multiple security holes in many alt coin wallets all ( or almosts all)  of which (to my knowledge) are detailed around the forums.

You just have to know where to look and have the patience to read through a lot of junk. 

I feel quite safe with my Pandacoin (PND) 1oo% PoS  Current Block: 179,108. PoS Difficulty: 573.69831087. Net Stake Weight: 42,302,817,860.14953613.
The safest PoS coin IMHO and yet still relatively unknown and very inexpensive for now too, so get yourself some and start helping to secure it further while you get paid to Stake Mine your own!

I will be more concerned with PoS if / when someone is successful in attacking one of them, and it will not be Pandacoin(PND) ;)

learn more   https://bitcointalk.org/index.php?topic=632657.0

https://bitcointalk.org/index.php?topic=599299.0
http://www.blackcoin.co/blackcoin-pos-protocol-v2-whitepaper.pdf

I haven't read the entire thread, but if I understand the OP correctly, then I think this is known by some of the more knowledgeable people. Just not discussed much these days. The main point as I understand it is splitting your stake means minting some POS blocks doesn't significantly reduce your chance of minting the next blocks.

For example, if you look at Balthazar's (Novacoin's developer) formula below, he already implicitly assumed this.
https://bitcointalk.org/index.php?topic=289946.msg3104704#msg3104704

That post is also very illustrative of the challenges POS systems face.

Yes, you got it right.


Apart from that, I see PoS as a flaw in the economic model also.

See point 2) C) from http://delogics.blogspot.com/2013/12/the-ultimatebest-cyrptocurrency.html

Why have an urge to kill other peoples coins. Unless the coin was built for a scam, I see no reason why anyone would want to destroy someone else's work.

There's profit in killing a popular coin with low difficulty.

You can double spend.

for teh lulz.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.

I'd be glad to know more details about this issue. Would you mind to share some info with me perhaps via PM if you prefer?

There are so many coins with low PoS difficulty.  Therefore even there's no easy permanent fix, we better come together to find a way to at least minimize the possible impacts it may arise

If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers?

I agree with your sentiment, but in practice if there is no possible fix (or way to protect yourself) then revealing details will just accelerate the 'mischief.' As mentioned I have discussed it with Sunny King but I think he's more concerned about looking after his own coin, and PPC currently has sufficient strength for it to be an irrelevant issue. In hindsight, I probably shouldn't have posted anything at all.

just seeking clarification here. but would this "theoretical exploit" still apply if a coin had a low inflation? such as 1-5%? meaning.. not 100%POS?

There are hardly any successful PoS coins. Especially the ones which have been mined.

There's more profit in finding vulnerabilities in Microsoft software and selling/exploiting them for botnets.

Yes, but to a limited extent. The more the PoS block, the more insecurity will be added.

you don't need to kill PoS coins, they die on their own...

Do you have code references to support this claim?

It is amazing how little people know about the PoS mechanics off ppcoin and descendants. It is true, that some coins are very poorly configured, but let me give you an example and ask you to re-play your attack logic there. The current version of Diamond, has minimum stake time of 7 days and maximum stake time of 30 days. It also has a combine threshold of 100. What those numbers mean is this:

1. You DMD can't stake while younger than 7 days.
2. If your DMD happen to stake between 7 and 30 days (because of sheer luck, or because of too much coin age), it will be subject to splitting. The amount plus reward will be split in two almost equal pieces.
3. If your DMD happens to stake, when it is older than 30 days - for example, you kept your wallet locked for way too long, or the amounts are too small they can't be lucky enough -- then the amount is not split. Instead, the combining routine is invoked. What it does, is find other DMD amounts older than 30 days, and combining them all untill they all are not over the combine threshold (100) in this case. Then all these amounts stake together and create one new amount or around 100 DMD + reward.

Now, say you have 10,000 amounts of 1 DMD which you let age enough and you hope could help you create such an attack. Tough luck... If they are all aged over 30 days, when they start to stake, each of the stakes will group 100 of them into one amount. You will end up with 100 stake events, instead of 10,000 as you had hoped. Caveat emptor.

Are you still convinced this "attack" could succeed?

If you want something like this to succeed, you need big piles of coins, large number of them, sitting with PoS disabled for a very long time, in order to be able to execute an attack like this. Which brings us back to the original PoS claims... more or less.

To PoS coin developers/maintainers: You guys should look at this line in your code:

int64 nCombineThreshold = GetProofOfWorkReward(GetLastBlockIndex(pindexBest, false)->nBits) / 3;

This thing is usually improper. You are confused by the "do not touch this, we invented it right" comments around it, but in fact, what it does is limit the combine threshold to 1/3 of your PoW reward. You disabled PoW, perhaps, or reduced it's reward too much?  The nCombineThreshold sets the upper limit of how big a pile of coins PoS will create for older coins. You want this to work! Mostly because the endless splitting that is done by PoS otherwise will create too small coin piles to stake often. Using Coin Control for this task is pretty much pathetic -- it is already built in your PoS code, use it.

You might want to thank me, or not ;-)

I would only like to answer the other half of your post -- the others being too rudimentary to answer (please ponder on your own).

The coin control you're talking about can be easily disabled. It doesn't break the protocol and there's no way to know if the stake was generated by a single person or not.

That part was not really for you.

So you have a bunch of small amounts you wish to stake. How do you manage to guess the stake modifiers to be able to create these PoS blocks in a row?

The "probability" formula in most coins is this:

    int64 nTimeWeight = min((int64)nTimeTx - txPrev.nTime, (int64)nStakeMaxAge) - nStakeMinAge;
    CBigNum bnCoinDayWeight = CBigNum(nValueIn) * nTimeWeight / COIN / (24 * 60 * 60);

(in some coins it's re-arranged, in some this code is refactored partially into a function -- but it is essentially the same everywhere).

This code is very easy to decipher. The time weight is the difference between the coin age, capped at nStakeMaxAge (reference 90 days) minus nStakeMinAge (reference 30 days). Of course, before doing this calculation nStakeMinAge is checked etc so it cannot come negative.

Then, with a simple calculation, you get a weight in coins*days. Given the above reference numbers, your 'staking chance' ranges between 30 and 90 coin*days for a 1 coin amount. The rest is pure luck, random numbers.

There used to be bug in the protocol, fixed in v0.3 -- that permitted coin stake to be burned in high pace and then, your suggestion to burn smaller amounts makes sense. But that bug has been fixed long ago.

Also, in your invention, you claim that "Each block gives the miner variable rewards depending on the current difficulty" -- which is essentially not true, at least for most PoS coins. The 'difficulty' in PoS is merely multiplied with coin*age to produce your chance to participate in PoS. The PoS reward is strictly dependent on coin*age*interest and 'difficulty' is nowhere in that calculation.

The PoS 'difficulty' is used to pace the creation of PoS blocks (too). Which essentially means, that if you ever succeed to make your too many small amounts stake in a row, you will need to be able to find good enough hashes to prove you solved the difficulty part.

Yeah, see that's exactly what I said. The probability of a single coin staking is 1/x (where x is your calculated coin weight). So the probability of a million coins is 1,000,000/x.

From what I understand what you say, as per your logic, a graphs card should never be able to mine any coin and a single core CPU is infinite times after than the GPU when it comes to mining. Cause if a graphics chip has 1500 stream processes; each core will have negligible hash rate, so the probability of a core to mine a block is negligible.  :P

In fact, by this I've uncovered another vulnerability using this (http://poscalculator.peercointalk.org/) calculator.

As the no. of coins increases, the probability of hitting a block does not increase linearly; it decreases. So the network difficulty is lower.

But if you've split your stake, the probability of staking a block will increase linearly, cause each coin has it's own instance. It's stake is calculated separately.

That means the network hash rate of genuine PoS miners will lower, helping the attacker more.


Difficulty=coin*age
coin = Difficulty/age

PoS reward = coin*age*interest
PoS reward = Difficulty*interest


As I said, rudimentary question. I'm not answering any of these rudimentary questions in the future. I'll just put a notice and link this this conversation.

Please you should know high school mathematics to understand this vulnerability. And of course have some common sense (to understand what's a 51% attack in the 1st first place).

Updated top post with new vulnerabilities.

Just a hint: as you further split your coins, the computational effort to search them all becomes non-trivial.

Otherwise, I will leave you to live in your fork of mathematics, high or higher and logic.