Bitcoin Forum

A single point of failure
Mintpal was compromised. The attacker gained 30% of the total supply of Vericoin in the attack. Which in turn, led the Vericoin development team to do something unprecedented in cryptocurrency history. They created a mandatory rollback.

What is a rollback?
A rollback goes back in time from blockheight 100 to blockheight 75. When a rollback is performed, all transactions after a certain point in the blockchain are effectively destroyed. If Bob bought a casacius coin from Sally for 1000 vericoin, Bob would now get the 1000 vericoin back while Sally has nothing. All transactions after blockheight 75 would no longer exist.

The necessity of the rollback
In every single instance of any exchange or service getting hacked, there has never been a rollback implementation. For Vericoin, this was actually very necessary. Vericoin creates it's new blocks by using proof of stake. When the attacker gained 30% of the coins in one go, they effectively gained 30% of the hashing power. You can see how dangerous this is. All it would take is an additional 21% to effectively completely own the network. If Vericoin used a proof of work system, the only danger would be the market price plummeting from the sell off, but the network itself would never be in danger.

The unprecedented solution
A rollback is terrible. Every single cryptocurrency relies on the public blockchain ledger. It is the holy grail of the entire currency. Once something is written to it and not orphaned, it's set in stone. When the team decided to initiate the rollback, they decided to use the nuclear option. They broke the entire foundation of crypto and set a new norm where it will be ok to undo transactions if the are large enough. Instead of the developers only being developers, they've now taken the option to also be the federal reserve and the police.

Proof of Stake's flaws
Vericoin only had the nuclear option available because of proof of stake. When an attacker gains coins in a proof of stake currency, they not only gain money, they gain network control. Vericoin was between a rock and a hard place. They either let the attacker have 30% of the total staking power, or set the precedent of rolling back. The reason they took the rollback option was because they could. (for now)

Impossible to rollback when big
Vericoin is so new that there is not a lot of merchant support. If it was as widely used as Bitcoin with 1000's of transactions a day and tons of merchant support, a rollback would kill the currency. Merchants would of shipped products with no payments and people wouldn't of been payed. Hypothetically, if any proof of stake currency did become as big as Bitcoin and was compromised just like now with 30% of the total coin supply taken, the currency would effectively not be able to rollback and allow a malicious entity to control the network. A large hack would become a death blow creating uncertainty in the integrity of the network.

TLDR

• None of yesterdays events were Vericoins fault.
• Proof of Stake is not feasible: in a large attack, the attacker gains crypto and network control.
• When a single entity fails (an exchange) no currency should ever undo their mistakes by wiping it from the chain.
• If a proof of stake currency ever becomes huge, it would not be able to rollback and would have to allow a malicious entity to have network control.

Another thread about the dangers of POS, what is this?  about the 5th or 6th thread? All i see so far is talk, if POS is so bad then why doesn't someone attack NXT?  Time to nut up or shut up.

PoS is not the problem here, ignorance and incompetence is. This is all a result of MintPal leaving 30% of all VRC in existence in one of their hot wallets when they are supposedly making use of cold storage methods. It's also ignorance by the part of the VRC community for leaving that number of coins in one exchange, but it's not their fault this happened.

The key point is that PoS is not at fault here. The direct equivalent of this happening in PoW would be 30% of the network hash rate leaving their pools and mining at GHash.io, thus pushing the hash-rate over 51%. Let's not forget that GHash.io was on the brink of having 50% of the network hash-rate around 2 weeks ago so no one can say PoW is full-proof from attacks either.

A rollback wouldn't of been necessary if the attacker never gained hashing power which they did with the attack. In a proof of work system, a rollback wouldn't of been needed.

If the design is not fault-tolerant of other's ignorance, incompetence or stupidity, then its dependencies for being useful are too large.

I'd like to understand this better, because it has been bothering me for a while. Can devs really just unilaterally decide to roll back a blockchain in PoS? Aren't there other players involved who have to go along with the idea? Lately I've seen many examples of coin devs announcing forks and changes to their coin attributes, and I've had a hard time figuring out just how much power a dev has by themself, and how much has to be a concensus decision with other parts involved - and whom are they? Miners, exchanges, holders of wallets, etc?

I can't believe devs have some secret key by which they can just single-handedly alter a coin contrary to everyone else's wishes. That would destroy all faith in such coins IMHO. So please help me understand this.

This is the first time a rollback has ever been performed due to outside circumstances like an exchange failing to implement proper security. In essence, it's a bailout for the exchange. A rollback is the nuclear option, (never been done before) it might cause fallout for every single cryptocurrency in existence.

That is worrying. The only thing I'd disagree with the OP on though is that if Vericoin had been a lot bigger it wouldn't have been a bigger problem, it wouldn't have been a problem at all because there is no way you could ever have 30% of a widely distributed coin held on a single exchange. That only happened because VRC is new, not owned by a lot of people, and not traded at a lot of different places.

I don't think its realistic to fear this happening to a large PoS coin like NXT as someone else mentioned above.

30% of VRC's float in a single hot wallet? I know mintpal said they were not staking it but I find that hard to believe. It's either extreme incompetence in foregoing cold storage or deception and greed in staking their customer's coin.

It would not of been possible at all to create a rollback if the currency had a wider adoption.

There would be too many merchants and private individuals affected. Every single transaction after a single point in time would effectively vanish.

I actually agree with these points. I'm sure Satoshi himself thought of PoS, but didn't implement it becuse it would eventually cease to be decentralized, and carries a large degree of risks that PoW doesn't, like Nothing at Stake attack, etc etc.

This isn't about the failure of POS. It's about the failure of Mintpal.

POS was the reason the rollback was necessary. The attacker gained network control along with the stolen coins.

If it was POW, it wouldn't of been needed to rollback because the attacker wouldn't control the network.

No. the reason the rollback is apparently necessary is because Mintpal had a security flaw in their exchange and way too many coins that should have been in cold storage.

If this had been any other coin, would we be blaming the coin? The coin wasn't hacked. The exchange was. Yes, POS has differing consequences when coins are stolen, but this is an unintended consequence of POS. It's not a fault of the coin's design.

The "unintended consequence of POS" is its flaw, as was evidenced in this case. It's not about coins per se. It's about the proof-of-(insterherewhatever) model is used.

So by that logic, because someone can steal bitcoins, and because the currency is anonymous in that the new owner can't be traced, this is a flaw too. This doesn't mean PoW or PoS are broken concepts, in much the same way Fiat isn't perfect either.

I agree that this has caused severe problems, but the blame does not lie directly with the coin itself.

I think we need to distinguish between the FLAW and the VULNERABILITY.

The coin was not flawed. The flaw was with Mintpal security. That's disappointing and alarming in itself (are my other coins there safe?). But that's not a fault of vericoin. It's very curious why VRC was targeted and not BTC or another major coin. Hopefully we'll learn more as the investigation progresses.

The vulnerability is common to all POS coins, as the OP indicates. Vericoin is not at fault for this either, apart from the general decision to go with POS. This is troubling, because if POS has an intractable vulnerability then it implies we are going to be shifting back to PoW, with all the energy usage that entails. Hopefully the vulnerability will turn out to have a robust solution without going back to PoW.

Either way, Vericoin itself is not really at fault in this whole mess. Mintpal, and of course the thieves/hackers themselves, bear the most scrutiny. The Vericoin team is just making the best of a bad situation and deserve plaudits for helping fix (or 99% fix at least) a problem not of their making.

The issue is how the coins are created. With POS or proof of stake, when you have a large number of coins, you can effectively control the network. The attacker gained control with the attack.

It's a flaw in POS that will create larger issues in the future if any POS coin becomes mainstream in the event of a large hack like yesterday.

Proof of work is not susceptible of losing control of the network if coins are stolen. Preventing the nuclear option of rolling back to save the network.

Nxt is actually the most vulnerable, because BCNEXT and his alts control over 50% of network, if he held passwords in same place like Klee its very likely that we see 51% on nexters very soon.

You can read on Salsazs blog how many nexters have been released to people to trade and how many is held by founder, a pocket change. Name of blog is pretty good too, it tells you how creator got rich lol

http://nxtcoin.blogspot.com/2014/06/how-nxt-changed-our-lives-james.html

I'm onf the thinking that there was a problem that someone found and exploited it within Mintpal.  That doesn't mean the whole use of PoS is flawed beyond repair by any means.  Seems to me just by reading this thread it is clear that what ever happened here need to be addressed and made sure such things don't happen again.  Arguing which system is better doesn't do much good at this time it only makes finding the best solutions harder.

Nothing is talked about WHY so many coins sit on so many exchanges even after Mt. Gox

Most traders are paralyzed in fear that whales will dump a coin anytime they are too afraid to stake their coins thinking the time will come when the market starts tanking and they will be caught holding the bag.

Personally I think the best solution is a coin that has POS but also has an on-going POW too.

You're missing the original point of this thread.

Proof of Stake is inherently flawed because in the event of a hack the attacker not only gains the coins, but he/she also gains the network.

Yeah, and Bitcoin would obviously never, ever pull a rollback in the case of a theft, eh guys?

PoS is not the problem here, lousy security is.

Yes, but this is akin to blaming the bags of money, rather than the bank they were stolen from.

There fixed that for you. If we aren't taking responsibility for our coins, as this new form of money demands, we will be stuck with all of the same problems of the old way.

papersheepdog, Canada

just throwing this in here: nxt multigateway

Yes, especially with recent Klee episode. Sounds like very smart for people to send bitcoins to people that never ran currency exchange.

And, as there are so many coins these days, you can't properly vet everything. You wouldn't want to download some wallet stealer or keylogger attached to some random coin's wallet exe. So you reason it's safer to just keep the coins on an exchange during the pump phase and never to download the wallet in the first place.

Wow a roll back. So anyone who bought some coins now has paid cash and has no coins great work. Or someone who bought something with coins now potentially has the coins and the merch.

But as long as those who are happy to trust there money in someone else's pocket get their coins back that's OK.

Glad its all controlled by the software and not some centralised person who decides who is allowed to transfer coins and who is allowed to get coins stolen.

You can see how strong Peercoin network is:

Peercoin PoS Difficulty (please compared to a year ago): http://peerchain.net/charts.html

Peercoin Network Active Nodes (Last 24 hours): http://cryptocities.appspot.com/peercoin-1d-allnodes.html

Peercoin is not 100% PoS, it's mixed between PoW and PoS.

Extreme centralization is a separate problem all together.

The worst case scenario in a PoW coin where a malicious entity has stolen a large percentage of coins, is they dump the coins at current market value and crash the price. Eventually the market should recover.

The above is true for PoS now too. Except now, the attacker also controls the network and can create a new chain in which he/she has never sold the coins on an exchange.

I agree.  This is a wealth distribution problem for a young coin and has little to do with PoS.  Yes having an exchange with a large stake of a PoS money supply is an issue but its an issue which fades away over time as the PoS coin grows and matures.  Its the opposite in case of mining pools for PoW coins.  The threat of a mining pool gaining a large portion of the hashing power isn't going away.  Yes there's P2P pool but miners have to run full nodes in order to use them.  That's a plus for PoS coins and particularly Peercoin.

This was not unprecedented. Read your bitcointalk history threads. NXT required a rollback in Dec. 2013 after someone exploited an overflow error in the NRS client.


Who's to say an exchange would not exploit a network? Were you really any safer with MintPal controlling 30% of the coin? Doesn't it seem likely they got greedy and were staking?


Agreed. They are making a major mistake.


All altcoins are getting desperate and are willing to do unusual things for the sake of distinguishing themselves in a sea of altcoins. They did not HAVE to do the rolback, but they are experimenting in uncharted waters for crypto. The VRC lovers are already spinning the policing of their blockchain as a positive development for cryptos. I disagree because, to be a coveted currency, it must not lose convertibility, no matter the owner, thief or otherwise.

The problem with POS is during the IPOs there are insanely high amounts of coins that belong to few people, big, very big stakeholders in the POS game. You could say the same about Bitcoin and other POW but the difference is not all coins have a owner yet as they don't even exists (they are being mined).

The contradiction in this story is:

If the thief effectively controls the network now with his stake of 30%, how would you initiate a fork?
You simply couldn't. The thief could be coming out with his own wallet, blocking out everybody else. So whats going on here?

The whole story smells.
Why there were 30% of all coins in existence in a MintPal wallet?
Was that wallet staking?

Something doesn't add up here.

You obviously don't get the difference between an exchange and a gateway: it is not possible to store customer funds on the gateway, it is purely a transfer/trading platform.
No funds on the gateway, no chance of a hack and loss scenario, no nasty exchange admins running away with your hard-earned BTC (or whatever)

I'm not going to comment for or against the PoS method, but I will add something to the discussion based on my own personal experience. A few days ago, I held roughly 0.2% of the total coin supply of one PoS-only coin, separated into 6 outputs. Having aged them for more or less a week, all outputs staked a block within the same hour, with 3 of them finding 3 out of 4 consecutive blocks. Obviously, there are other aspects to consider such as maximum coin age, minimum staking age and the maximum supply of the coin, but it does put some things in perspective. Given enough incentive, it would be easy to plan out a "51% attack" on a PoS-only coin without holding even 1% of that coin. That's not to say that PoS is good or bad, but that it is infinitely more secure to run PoW alongside it as a safeguard.

because in proof of stake coins, there is a master node responsible for checkpointing and alerts. this client is distinguished by a pair of private keys that are written into the source code. when this client comes online it checkpoints blocks as it syncs. therefore, you can modify this client, then when it comes online it will fork the network, forcing all clients to upgrade. those who do not update will be on the on the old network, and will receive alert messages to update their client. any attempt to change this private key pair in the source code by an attacker will render the entire blockchain invalid. its like a safety valve of sorts.

So centralized security for a "decentralized" network?

Not Proof of Stake's fault you got coins with near zero incentive to stake, users who don't understand staking security, and a lack of NXT/PPC/NOVA security features (centralized or otherwise) rampant around here.

Standard Proof of stake is dead. If I owned 5% of a coin and colluded with 5 other people who also held 5% we could attack the network easily. Let alone a single exchange can stake and or kill the network with a single wallet. The vulnerabilities are too big for mainstream adoption. You can imagine if bitcoin was PoS and this happened, you would have 1 person that controls the entire network. Instant death.

If the BTC community kept 2.4 billion dollars (approx. 30%) worth of BTC on a single exchange, the network deserves death to teach them a valuable lesson.

PoS isn't the problem. Using PoS solely is the problem.

Agreed - I would bet most coins using plain old PoS will need to change or die off because of this.

NXT doesn't have centralized checkpoints.
Other PoS (Peercoin?) may have those.
A distinction has to be made here if you want to stay objective.

Yup, no stinking master nodes for us......

NxT and POS is the way forward.

Masternodes are also a fantastically powerful concept and are already proving a success.

lol,,, i was drinking coffee... no i have to clean my display

Total bullshit from OP.
I hope people will do their own research.

I have nothing to add to this troll talk.

I wish people wouldn't talk as if all PoS algorithms were the same. Nxt doesn't use check-points. Doing a rollback in Nxt would be about as hard as doing one in Bitcoin.

This is equally a problem for Bitcoin. You would need to own 5% of the hashpower rather than 5% of the coin; either way it is a big investment. Thing is, if you own 25% of Nxt, and you destroy the currency, you've destroyed your own money. Where-as with PoW you can own enough hashpower to destroy a currency without owning any of that currency. Afterwards you can move onto another currency that uses the same PoW algorithm. Currencies have been destroyed this way (when they were young).

Again, the analogy with Bitcoin is one faction gaining 25% of the hashing power. And it's happened - Ghash.io has been close to 51%. It seems it's far more likely to happen in a PoW currency, even the most mature one, than in a mature PoS. Obviously, GHash.io has not meant instant death for Bitcoin.

Plus one centralized exchange, staking in one central wallet. 

An 'unlocked' wallet  :D

Proof of stake is useless to people who want to use online wallets for their altcoin, since most online wallets keep the income for themselves. As do exchanges that gain POS shares in balances.

PoS leads to centralization

Both me and many others have said this before and it still remains true.


PoW is better for security
PoS is good if you don't care about centralization/security and you're ok with one person controlling the network.

PoW leads to centralization through hardware production, professional mining and massive big pool.

There are no incentive to centralize in PoS.
A node is the same no matter the amount of coins (in Nxt at least, other PoS are shit if they have such big flaws).

Both me and many others have said this before and it still remains true.

PoS is better for security
PoW is good if you don't care about centralization/security and you're ok with few people controlling the network.

Does NXT suffer from the "nothing at stake" vulnerability? Or all IPO+PoS coins for that matter, because in the beginning someone had 100% of the coins.

oh you're talking about bitcoin, with the big pools?
Sure, there are a few bigger pools than others but it isn't 1 person controlling the network, like PoS always eventually ends up at.

Also check out multi-algo PoW coins :) there's you answer for big centralized pools.

I would still rather have big centralized pools than someone having the power to control the network without owning any hashing power or even 51% of the coins (even if he had them at one point, he can sell them off and then attack the network - attacking it at no cost).

How does your PoS deal with that, fork it to an earlier stage? haha

PoS allows someone to attack a network at no cost and ruin it for everyone else while benefitting, PoW doesn't. If you cannot see that then there is nothing more to discuss, you need to open your eyes to see :)

In Nxt, a node add the same resilience to the network no matter the amount of coins.

This new wave of PoS shitcoin are not real PoS.

Let me requote myself if you cannot read :

Sorry my ignorance regarding NXT, but someone could just start as many nodes as he wants and have majority of them?

In either case - PoW or PoS - the security of the network is based on a limited resource that can't be created at will. If an attacker gains control of an amount of that limited resource that is enough to undermine the security of the network it will get nasty.
In PoS the limited resource is derived from the currency units in the network itself.
In PoW the limited resource is computational power.
PoS's security suffers from big holders of currency units which have malicious intents.
PoW' security suffers from big holders of computational power which have malicious intents (imagine someone is abusing a PoW pool's computational power; even if that power is below 50% all that is needed, is to DDoS another big pool...).
Same shit, different color.

The big difference lies in the economical aspects of attacks on PoS and PoW.
For PoW attacks you need computational power. If you have killed a specific PoW network with that power, you can still use it for other PoW networks.
For PoS attacks you need currency units of the network you intend to attack. If you succeed, you diminish the value of the owned currency units - estimatively by vast amounts; there's no reuse for different networks.

"Useless" if you think the use of crypto-currency is to increase wealth by mining/forging. In Nxt, forging is more about securing the network than it is about gaining revenue. In PoS, anyone can forge, but no-one will get rich from it.

"Nothing at Stake" is a chimera; a theoretical problem that has never been seen in the wild. Currently Nxt does not suffer from forgers forging on every chain they see. There is reason to believe it never will.

Are you confusing "Nothing at Stake" with "History Attack"? Nxt mitigates history attacks by not allowing block-chain re-organisations past 720 blocks. That means we don't have to worry about the founders mounting an attack with ancient coins.

Seems like the biggest problem of cryptocurrency is centralisation. Given that it's meant to be a decentralised currency, it's pretty logical. The problem is centralisation of decentralised currency.

Holding too many coins in one place is like keeping your life savings under your mattress. Keeping large amounts of coins on an exchange, well that just flies in the face of decentralised currency.

Yes, he does confuse them, many people do, because they simply parrot others' wrong opinions.

History attack is impossible because all blocks older than 720 in the past are irreversible, there are decentralized rolling checkpoints in NXT which take care of that.

Here is how Vitalik Buterin formulated the "Nothing at stake" issue" two weeks ago:
https://nxtforum.org/general-discussion/bounty-for-successful-nothing-at-stake-attack/msg60114/#msg60114
read that thread from that post to the end to see that he was apparently satisfied with the replies he got that NXT is not vulnerable to N@S, or at least he had nothing else to retort.

pos is the only sustainable solution so far. What you describe is the problem of one young coin, not pos. See https://www.youtube.com/watch?v=A2jx1TlkMBs (https://www.youtube.com/watch?v=A2jx1TlkMBs) , he does a very thorough and clear analysis of pos in the long term.

Yes.

Nxt also has the notion of "hallmarking" a node, which means it is associated with an account and therefore a stake. Other nodes tend to trust hallmarked nodes more.

Nxt deals with it by not allowing block-chain re-organisations past 720 blocks. That means the attacker has a narrow window for making the attack. That is in addition to the usual difficulty of acquiring a large enough stake to make the attack feasible. For comparison, in a PoW currency it would go:

• Buy hashpower.
• Attack PoW.
• Sell hashpower.

for a near-zero cost attack. In Nxt it would go:

• Buy stake.
• Wait 1440 blocks so that stake can forge.
• Sell stake.
• Attack PoS (within 720 blocks).

In both cases, the hard part is step 1. The difference in the ordering of last two steps is just a few hours. The PoW attacker has the advantage that they can sell off their hashpower at a gradual pace, without crashing the market. With Nxt, they'd have to carry out their attack within 12 hours of selling, so they'd have to sell quickly. Basically, buying 51% of Nxt is going to cost a fortune, and dumping 51% of Nxt would itself crash the price never mind the attack; and the attacker would lose a lot of money from the price crashing before they could sell their entire stake. So the notion that this attack has no cost is ludicrous.

Thanks for the reply.

Does any other PoS coin have such a "rewind" limitation like NXT's 720?

As price action and market volume observations show, buying 51% of NXT would be at least two orders of magnitude more costly ($50+ bln) than buying 51% of hash power for Bitcoin ($500 mln), because each time 1% of NXTs is purchased the price goes up 25%, that would be exponential growth of capital required to buy 51% of all NXTs in existance.

My pleasure.

I don't know. Nxt is open source and has its clones, and I guess the clones have the same rules, but I don't know about PoS coins which are more original. I gather Peercoin use centralised check-points instead.

extreme attacks requires extreme measures... so rollback is justified
however i consider mintpal story bullshit.

also I think we need a lot of time to get to pure PoS as mainstream
maybe 5-10 years

+1
Great explanation.

Please everyone, read that quote before commenting on PoW vs PoS.
No system is perfect but don't let people spread FUD.

No you need to have currency units in the PAST.  That is the basis for the nothing at stake problem.

Say the active stake is 10% of the money supply.
In block X I have >5% of the money supply.
In block X+1 I sell my coins. 
By x+10 the transaction is confirmed the new owner(s) have the coins.

I now have NOTHING as in nothing at stake.
I can still re-org the network by building an alternate chain back at block x when I did have the majority of the stake.   It doesn't cost me anything to try, there is nothing I can lose in the process.  I am using not coins but the history of coins I once had to perform the attack.

You don't need 51% of the coins just 51% of the active stake.  In no currency can 100% of the money supply be used for minting.  If it was then the currency couldn't be used for anything else.

The difference is this. When people do a 51% attack on some mid-altcoin and kill it, they can later point there miners to the next victim. In Proof-of-Stake, you will lose your own stake. Then you not happy, you're done.  ;D

There are not many reasons for people not to forge/stake in NXT, either solo (bigger stakes) or through pools (smaller ones). That's why most of the coins are forging, hence, yes, you need 51% or close to that and the capital two orders of magnitude larger to buy all those coins than the capital needed to buy hardware to hashrate attack Bitcoin.

It's simpler to buy a lot of ASIC miners than to buy 51% of NXT for example. Good luck with that!  ;D

The NXT community discussed this matter with Vitalik Buterin from Ethereum. He was surprised about the solution of NXT and said there is no fatal flaw in NXT after he understood the solution.

https://nxtforum.org/general-discussion/bounty-for-successful-nothing-at-stake-attack/msg60166/#msg60166

Read his analysis and come back. If you still can describe how you can perform a succesful Nothing at Stake attack against NXT, I will believe you and I will bow for you.

POS in general is secure as they stake holders are if they are stupid and keep 1/3 of all coin at one place they can suffer like VRC..
If they are smarter like PPC they wont have such problem.

Here even didn't see any blow in POS security becouse attacked have to know how attack coin...


Here was panic fear of dumping 8m coin on market nothing more...
if they wanted  secure network they could do it other way.

A lot of discussion is specifically about NXT.

Is there any difference in NXT's PoS implementation vs most of these new altcoins with PoS?

NXT's implementation is unique, except if those new altcoins are clones of NXT (NFD, NAS).

BlackCoin has PoS 2.0 (http://www.cryptoarticles.com/crypto-news/blackcoins-proof-of-stake-20-whitepaper-revealed):

• Coin Age will no longer be a factor to generate Proof-of-Stake interest. There is a need for more nodes online and staking. More staking nodes will also speed up the BlackCoin network and transaction time. Do keep in mind the staking rewards are not affected by this change.
• The stake modifier will be changed at every modifier interval
• Further blockchain timestamp changes will be made to avoid Proof-of-Stake blocks from orphaning.
• BlackCoin will no longer be using the Scrypt algorithm for its Proof-of-Stake phase, and will revert back to SHA-256D. Using Scrypt offers no real advantages , and is in fact slower compared to some of the other alternatives.

PPC also has the advantage that, because it is older, distribution is considerably better. Which means that it's very unlikely that a single exchange would have a big percentage of all coins.

I'm talking Nxt, because I know Nxt.

First of all, I believe Nxt has ~30% of the stake currently forging, so you're talking more like 15% of the stake needed.  New tools coming out and coinbase like wallets that could forge for people and pay them interest and leased forging(like pooled mining), as well as increased wallet security coming soon should increase this in the future.

It is estimated that an attack against Bitcoin would cost $1.15 billion. (http://www.coinometrics.com/bitcoin/brix)

Bitcoin also has a market cap of $ 8,133,288,923 meaning that a 15% attack against Bitcoin would be $1,219,993,338.45, so similar costs.

BUT Nxt's is maintainable.. next time Bitcoin halves, miner's will have to drop off the network.  Transaction fees simply can't support the miners.  Afterall, Nxt will have very low transaction fees, it is currently surviving off of 1 Nxt transaction fee, which is to be lowered, while even Gavin is predicting that the current fee should be $0.41.. once the inflation halves, Bitcoin is in trouble.  Nxt on the other hand can currently survive with $0.05 transaction fees, to be lowered as Nxt grows. Meaning Nxt's security and fees will go up, Bitcoin will go down.


Few things preventing it:
- If the network network sees you double forging on different forks, it will ban you for 1440 blocks.  Good luck performing such an attack when you can't write to multiple chains.  This means that you do indeed need to own 51% of the forging power.
-This need to take place with 720 blocks, at which point the network essentially agrees to a decentralized checkpoint.
-Economic Clustering, Nxt intends to make sure that transactions happen with a given 'Economic Cluster' which basically means that when you sell your Nxt you and the person buying your Nxt agree to which fork you are selling your Nxt on.  The more Nxt transferred on a given fork, the stronger that fork is.  If you transfer 15% of all Nxt, you need to pick which chain it is being transferred on, and therefore make that chain valid with that choice.  People buying your Nxt won't be willing to buy that much without pinning it to a specific chain.  Your new chain will not have that many transactions pinned to it.

Also, if you decided to cash out 15% of Bitcoin within about 10 hours.. you would crash the price down to zero.. meaning you do do a lot of damage by cashing out that much there too.  To the point that you might kill it.

Where did you get that number?

What does Total Balance under More info in the NRS Version section on the dashboard mean?

The problem is hardly with PoS. Think about what would have happened if it were PoW instead. It would all have been stolen,as in lost. Mintpal's security and the decision of the developer of one coin cannot be extrapolated to the whole system. The other PoS coins are doing just fine.

Correct, but the integrity of the blockchain wouldn't be at a massive risk of compromise, as it was (is?) here.

Fixed that for ya.....NXT is rolling up hard.

Not really though. A huge problem with PoS is when the currency is still in it's infancy. A lot of coins are left in exchanges instead of being staked.

In reality, when the coin is so young, it makes it very easy to create a new chain.

Here is another PoS currency that just fell susceptible to a malicious attack.
https://bitcointalk.org/index.php?topic=679791.msg7859494#msg7859494

Rolling and internal checkpoints will make your attack infeasible.

As usual, no one can think outside the little Crypto Box.

The problem is not coins or PoW vs Pos...
Problem = people FORCED TO CENTRALIZE millions of coins on amateur DODGY exchanges.

If the NYSE puts 30% of Apple stock outside on the street and it's stolen...
It says NOTHING about the safety of Apple Inc or Apple stock certificates.

No, that's not what "Nothing at stake" means. What you are describing is a history attack. It's a different kind of vulnerability. I described how Nxt currently mitigates it a few posts earlier, in #67.

The value used for forging can be very close to 100%, though. In Nxt, when you transfer coins you have to wait a day before you forge with them, but all the coins you didn't transfer can continue to forge. I get the impression you think coins used for forging are somehow locked up, like in a special account. That doesn't happen. If you get paid 1000 NXT salary at the start of the month, you'll be forging with that money every day after the first. If you spend 30 NXT/day on living expenses, after 15 days you'll have half your money left, and will be forging with it. Most of the money you've paid to other people will probably be sitting in their accounts for more than a day, so will be forging for them. Most of the coins can, and probably will, be forging for whoever owns them.

I agree with that but there i many factors that prevent many POS attacks.
POS is as secure as they owners are here is great justice of POS system
there is chart for POS coins noded but it talks a bit about communities and how they secure network at the end:
http://bitinfocharts.com/pl/comparison/nodes-ppc-bc-xc-vrc-nvc.html

Ass you see over time stacking is not so secure and people are stacking less i hope muiltisign feature some kind of 2FA in cryto will help solve that problem.
This is currently implemented in BitHalo/BlackHalo ( David Zimbeck creator ) but it will be open source in future, Blackcoin POS can stake using that multisign
this is great step in securing stacking process.

This is something like that you have 2 kays: one key on phone (or PC, server ext) 2nd on PC, to send receive you need both keys that will increase security lvl of staking nodes.
Education of holders is also important. to not let situation like that 1/3 of all supply on one exchange this is situation where you are looking for trouble.

How do you generate POS with Peer Coin? I tried the walletpasshphrase <password> 99999,9 but nothing happened. Does Peer Coin need a different command? Sorry to stalk the thread for this but thought someone here may know? Thanks.

Do you mean Peercoin PoS minting? Try this: walletpassphrase "your password or passphrase" 99999 true

Navajocoin, a PoS coin, was recently attacked and two doublespends occured from the attacker gaining over 30% of all coins. Pos really is Piece of Shit...

But POW coin can suffer the same...
http://www.coinwarz.com/cryptocurrency?sort=hashrate&dir=asc <===
as you see having 300hm+ (one single KNC titan can make attack on 50+ coins... )...
So POW Prof of Weak is not ultimate solution here too Shitcoins like lotto, leaf...

Today when 7day minig is popular and 95% of new coin are on exchanges like VRC (1/3) of all on 1 exchange POS networks are not secure the same goes to POW...
If someone will hack ghash.io and make 51% BTC will surfer too.

In POS OWNERS take responsibility for secure network if they fail their coin fail.
In POS people have greater motivation to protect network than POW,In POW one super computer/ASIC can make big mess.
Mayby only BTC,LTC,Doge is hard to attack rest is not secure too much...

This!
And after that you will have to wait a few minutes before the GUI displays the wallet is unlocked and forging.

if pos so good, why is litecoin still second. take that

Ridiculous argument. Try again.

He did his very best. ;)

Litecoin is older and it's benefiting some kind of network effect as it is the "biggest altcoin" out there.
Give NXT a few more months  ;)

fixed

You should know that price is not reflect the all situations,it is just a part for short time.
With time go,POS will give us exciting news.

ohh that makes sense.

why is nxt better than ppc?

I just list some difference ,but not want to offend PPCers.
1.NXT is first 100% POS with a brand new POS named TF(transparent forging)  .
2.NXT have no central checkpoint and no coin age design.
3.NXT have many features,such as Asset exchange,arbitrary message,Alias and some coming features,digital goods store,alias exchange,monetary system,and so on...

agree,litecoin was born in 2011,NXT 2013~2014,just time needed.

There are arguments in the other direction, too.

1- PPC has a better distribution because of PoW.
2- PPC is less centralized, because one team doesn't have control on the whole architecture, and it was not instamined.
3- The central checkpoint are actually a good thing for now, since PoS has not been definitely proven to be secure. Central checkpoints allows some additional security for that period before the devs are 100% confident that the coin will be secure without the checkpoins.
4- There's Peershares being developped, which is an asset exchange built in through the Peerunity wallet client.

Well, this is the obvious problem -- Mintpal had 30% of the total supply. It could have attacked the network itself, without any hacker stealing any funds. Can you imagine one entity having 30% of the total USD in existence? Vericoin was too concentrated in the hands of too few. Over time, as a coin grows, it spreads to more people and this risk goes down.

Peercoin will be in the second place within several months and then compete with Bitcoin for the first place.

Can one not attack a proof of stake coin by purchasing the actual coin and at the same time selling short on the "paper / derivative" market thereby effectively maintaining a neutral or even a short position on the coin during the attack?

Short answer: No.

Long answer: it's a quick way for that exchange to be out of business if the exchange doesn't limit the short position of that customer (it's not like naked short selling is present on many exchanges now, because exchanges understand the limited supply nature of crypto currencies and that they can quickly go bankrupt if they allow this naked short selling, or at least with something over 1:2 leverage).

If the attacker withdraws, this will be noticeable immediately, because blockchain is transparent, people will notice the exchange's reserves are depleting and will do mass withdrawals too.

There is no economic incentive for an exchange to allow customers to have large short positions, because if the price stays the same, they lose on: a) fees (the larger the fiat price of a crypto, the larger the fee they can collect, because the fee is usually set in crypto); b) bad reputation for the exchange, people will notice that volume of trading is huge, but the price stays the same, meaning something funky is going on on that exchange, and will go to other exchanges. This funky business may have worked with Mt.Gox, because the willybot kept the price to the upside, so people were ok with that, but won't work, if volume is going up significantly, but price stays the same, it's not natural and means someone is doing something criminal.

Besides, in NXT, for example, there are plans to go to decentralized gateways and multigateways to deposit/withdraw, multigateway is already developed and functioning on live net (https://nxtforum.org/nxtservices-releases/), centralized exchanges don't fit the decentralized concept of NXT, they are a single point of failure, an entity you have to trust, hence they will not be relevant in the future.

I am sure, there are other nuances why this attack is not possible in practise, at least for an established crypto like NXT, but those above should be enough for now.

The attacker does not have to be an exchange, nor is there a need for a centralized market for the attack to work.  

It is possible today enter into BTC and LTC contracts for difference vs USD using an FX broker or brokers with something else such as USD or EUR as collateral. One can use this to create a short position on the coin. One then at the same time purchases the same amount of the actual coin, thereby not moving the market because of arbitrage between the FX broker or brokers and the actual coin market or markets. This kind of thing happens all the time with commodities, stocks and fiat currencies where the paper market exceeds the actual physical market by many orders of magnitude. Furthermore there are many valid reasons why people would do this kind of hedging. The only reason this does not work with current proof of stake coins is that they are still too young to create a viable derivatives market.

The problem with proof of stake is that the stake represented on the blockchain may not represent at all the exposure of the holder of the stake to the coin, if the holder of the stake has hedged her exposure to the coin with derivatives. The more established the coin, the more likelihood of a derivatives market around the coin and consequently the greater the risk of this kind of attack.

Yes, I know it's possible with BTC and LTC with some brokers, but BTC and LTC are not Proof-of-Stake, hence the exchange itself doesn't have to make sure the customer is not doing funky operations with those coins. In case of PoS, it will be in the exchange's own economic interests to make sure that is not happening, because it will jeopardize their reputation (see above for huge volume and price staying the same, this is a big red flag not to trade on that exchange and be sure it will be publicized very quickly).

Paper derivatives market in cryptos is not going to be anything large to worry about due to the fact that it's very easy to take delivery of crypto currencies, whereas it would be a major hassle if you tried that with commodities in real life (95% of commodity traders do not take delivery and brokers know that, hence they allow them to do highly leveraged trading - some allow 1:10, 1:25 leverage for commodities which is crazy). This incurs the risk of the exchange's reserves being depleted, immediately noticeable by everyone on the blockchain. So, yes, commodities, fiat currencies, stocks - paper derivatives on top of them are very easy to implement. As for crypto currencies - it's not going to work on any large scale.

If the price stays the same, it will be easy for others to buy and withdraw, soon there won't be enough for everyone. The price has to rise to satisfy demand, depleting people's fiat that they can buy with. If that doesn't happen, the available supply will soon be bought up and withdrawn from the exchange.

Please see my previous post about decentralized gateways also, that NXT is implementing making centralized exchanges irrelevant.

It is possible today to get up to 20:1 margin on Bitcoin CFDs and up to 10:1 margin on Litecoin CFDs today using an FX broker not an exchange. http://www.avatrade.com/trading-info/trading-conditions (http://www.avatrade.com/trading-info/trading-conditions) There is no need to use just one FX broker for "paper" or just one exchange for "actual" for this attack to work. In fact the more decentralized the market for both the "paper" and the "actual" the better since this will allow the attacker to hide her hand.  

Correct me if I am wrong, but CFDs is not the actual commodity being traded. There is no delivery of commodity if CFD is bought, everything is cash settled. CFD price is following price of commodity exchanges or crypto exchanges in the case of cryptos, not leading it.

So if an attacker buys actual crypto commodity in large amounts on one exchange with one hand and at the same time sells CFD with another hand at another broker/exchange, the price on the first exchange would start growing, everyone will rush to buy (people like to buy when the price grows), the price will be growing even more, arbitrageurs will quickly jump on board and make sure the price is about the same on all exchanges and with all brokers (now the attacker's short position is well under water).

If the attacker keeps persisting and demand from the attacker and other people keeps growing, the attacker will soon have to cover their short position in CFDs with a huge loss because the broker will send a margin call or would have to add cash to maintain it. In the end, because people take delivery of the crypto, the attacker would have to close short positions at a loss, no matter how much fiat the attacker has, because the crypto would be depleted at exchanges and price goes to infinity (remember: 95-99% of traders don't take delivery of wheat, copper or steel, but many take delivery of cryptos because it's very easy to do).

Yes CFDs are cash settled this is correct; however there is a counter party to the CFDs that has to hedge her position. This has to ultimately happen by selling the actual, either by the market makers at the brokers or by other market participants engaging in arbitrage selling the actual (at a small premium) and buying the paper at (a small discount). So it is very possible for the paper market to lead the actual market. If both the actual long and paper short are acquired gradually and across multiple brokers and exchanges the impact on the market is minimal. One must keep in mind that until the moment of the attack the attacker can keep her net position neutral, then increase her position to net short just before the attack to profit for the plunge in price caused by the chaos resulting from the attack.

Your point about taking delivery with crypto-currencies is very valid; however in this case it only serves to ensure that those writing the CFDs maintain tightly hedged positions themselves to minimize their risk, thereby keeping the paper and actual markets in sync. This will magnify the effect of the attack.

Edit: This attack works best when the market is otherwise moving sideways.

How do you say the impact on the market is minimal when the attacker is looking to acquire... how much, 20-50% of total PoS coin in circulation? These actions will generate huge volume across all exchanges, the attacker's own volume or counter parties' who hedge their bets. The markets of cryptos are very thin (even Bitcoin, not to mention less known coins), the price will jump and generate a lot of demand from speculators, many of whom withdraw. Soon the price on the actual crypto market will detach from paper market derivatives, the actual crypto will be traded at a premium to paper derivatives, this again noticeable to everyone. Paper derivatives will be losing their credibility, same as happening with some real commodities. The more they lose credibility, the more the premium the actual crypto/commodity trades at.

For an established PoS coin like NXT actions of a rogue trader are unlikely to cause chaos. There were a few million of NXTs dumped on the market by a hacker who stole from kLee, the price spiked down, but recovered very quickly to the level before the dump. The lower the price, the more value traders come out to buy an established valuable crypto and the more they can acquire for the same amount of fiat, so the attacker would be shooting themselves in the foot very quickly with short trading. And because the traded supply on exchanges is very thin relative to total supply of NXTs, the attacker or the attacker's counter parties would have to own too much of the coin to be able to constantly dump to break the market to the downside, because all those value traders would be out there collecting cheap coins dumped on to them. I fail to see where the counter parties of the attacker would have got that many coins from to sell at the actual market.

What you describe here is a theoretical risk that is two orders of magnitude more difficult to realize (in terms of cash you need) than the 51% attack on a PoW coin.

time to put mintpal in the too big to fail category :-p

Yea, it will be interesting when at some point every exchange converts to a new fork for some random coin and miners (pools) refuse, or vice versa.  Right now, everyone just kinda goes along to get along, but at some point there will be a clash of civilizations.  It's mostly exchanges that dictate everything right now since pool owners don't want to look like idiots having their clientele mining thin air that can't be cashed out.  

This would imply the power to fork comes from the developer and exchanges, and miners come 3rd, which is basically the opposite of the Satoshi view.  The Satoshi view seems to rely on the idea that there will be vastly more exchanges than mining pools, so whatever a particular exchange does has no influence on anything.  Most altcoins are entirely centralized on one exchange.  Bitcoin could be very centralized the same way in that regard having one dominant exchange in the US, and one in Europe or Hong Kong even years from now.

Interesting. Nxt has a trading exchange built into the block-chain, which is decentralised, so even if you can't convert NXT to fiat with an external exchange you will be able to buy assets on the internal exchange. Even for Bitcoin, I'd expect external exchanges to become less important over time as the currency becomes more self-sufficient.

This discussion about NXT is irrelevant.  It used to be a stable 8 to 9 cents back in January and has yet to recover to its' former capitalization.  Subsequent development might interest a niche of tech geeks but it doesn't matter to the meat and bone investors, traders and buyers in general.

 If we were talking about any other coin then more of you would be brave enough to say that NXT is a stagnating / dying coin.  For the same reasons why everyone regards Mastercoin as dying.  Maybe Mastercoin is still developing but that's just as irrelevant as NXT having continuing development.

 It's not 2009 / 2010, if a coin can't maintain momentum past a couple months (which NXT couldn't) then it's a sign that a coin isn't meant to be and that it's simply not the coin wanted by the public at large.   We could dwell on should haves and could haves but NXT is NXT, you can't change something which has been out for 9 months since genesis and you can't change the public's first impression so readily.

There's already the upcoming next generation of POS and mixed-PoS which has explicitly addressed poor distribution (which was a huge factor in NXT's collapse as January / February was around the time when everyone became aware of the distribution) and all the problems associated with.  Those upcoming 2nd generation POS coins are the ones you should be buying.  Buying NXT coin right now (versus these upcoming coins) is equivalent to buying Peercoin when NXT first came out.

Nxt was at its peak in June, far more than 2 months after release, and long after its distribution was known. You say it collapsed in Jan/Feb. Back then 1 NXT cost 5,0000 satoshi. Today it costs around 7,000. Looking at the charts, it's actually been quite steady, with a few peaks (one in Feb, one in Jun). By your own analysis, the figures say Nxt is to be.