There's no way to create inconsistent transactions like this, the worst that could happen is that a locker signs a valid transaction that doesn't have time to be broadcast to the network.

Sorry if we may seem dismissive of criticism, especially when we're actually trying to receive feedback.
All the issues you're raising are actually addressed in those 2 paragraphs in the paper though.
There are two possible solutions to mitigate the problem you're raising: either having lockers from consecutive rounds communicate with one another, and do a passing of the account state at the end of the round, with signatures to back it up, or require that each transaction is signed by lockers from the previous round and from the current round. Both of these solutions are presented in the paper, and each of them solves the problem you keep coming to (spamming the network with transactions, until an inconsistency is approved).

I know they're not expanded on, but is it really not clear why this would work? For us it seemed enough at this point.

If you think that anything more needs to be said here, let us know, but please try to at least acknowledge the argument.

The claim of 20K TPS is on the global state, not per account. So account consistency is not really an issue for the locker.

We've previously replied about the way lockers from consecutive rounds communicate with each other to ensure account consistency.

The lockers are always up to date with the state of the accounts they oversee. When you submit two conflicting transactions, only the first one will be signed by the lockers (the second one will be rejected). Please read the paper again.

You're very wrong. Users control the fees when sending to exchange accounts. So they can pay < 10 satoshis per byte and get their deposit confirmed in the next block (any time earlier on today, at least).

How exactly do you trick them?

I'm not seeing 1000 satoshis per byte fees to withdraw from any exchange websites I'm currently registered with, to answer your question.

I'd love to know the answer to this question:

Who is paying 200, 500, 800 or even 1000 satoshis per byte under these conditions? WTF

Why even pay 50? Why 10!!!?

Transaction fees are not the only reward they get, there is also a certain newly created amount distributed to nodes each round (if they reach consensus).

You cannot drain nodes of their stake because you cannot convince the other nodes to update their ledgers accordingly.

At page 27 of the white paper you can read about the consensus protocol. At page 31 there is a "Commitment" section. Basically, the nodes have X rounds (we didn't agree on the exact value of X yet) to reach consensus. If they don't, no reward is given to them, so it's in their interest to achieve consensus.

But the consensus part is different than the tx broadcasting and lasts for more rounds. Node B can specifically request some account information from node A, e.g. he's behind with the transaction chain for that account, and update its state accordingly.

"The protocol assumes the nodes are not necessarily up to date with the state of all the
accounts, but they should be when it comes to those accounts for which they are
supposed to act as lockers. To achieve consistency, the nodes that are lockers for the same
account in consecutive rounds will communicate with each other. The old locker will
pass on the state of the account to the new locker.
Should the network have a low trust in lockers, at the expense of a small increase in
bandwidth and CPU usage, transactions can also be signed by the lockers of the current
round and also by the lockers of the previous round. This would ensure that no
transactions could ever be invalidated when lockers from consecutive rounds are not in
sync"

This part could probably be better emphasized.

Sorry, but what you're describing doesn't really apply, since the locker responsible for signing transaction is the same entity, and won't accidentally sign a transaction conflicting with another transaction he signed anymore than someone can crack a private key from the public key by accident. The case when two conflicting transactions take place in consecutive rounds is more complicate, and there's an analysis for it in the paper, please read it before trying to design attacks.

You have to provide proof of the conflicting transactions, as two locker signatures approving conflicting transactions. It's specified in the paper, this proof is considered in lieu of the signature of the penalized node's account.

What do you mean, how do you convince the other nodes to update their ledgers accordingly? Please read the paper more thoroughly.

Yes, that's how POS works, if you have more than half the stake you can do anything. But probably if you already have half the stake you are not interested in attacking anyone, but you'd like the value of the coin to go up

Your voice in the network is proportional to the amount of money you have (POS). Check out the locker selection function for more details.

Note that an inconsistency can never occur without the complicity of the lockers
involved. So whenever the network nodes find out about an inconsistency, they will
punish those lockers by confiscating their collateral.

Thank you @monsterer2 , this certainly helps. I still have more questions though.

   So difficulty is adjusted with each block according to the network hash power. Network hash power is measured by the speed with which a block is discovered, correct?

So how is a 51% attack possible? As I understand it, the new block header must be hashed using the previous block header. Why then does controlling a certain amount of the network power enable double spends?

  Please can anyone explain to me exactly how proof of work is a solution to byzantine fault tolerance. I am having trouble with the concept.

Imagine you are sitting in a bunker. You have no idea what people are out there and what are their intentions. You only receive some incoming messages from strangers that may contain anything. They can be just random garbage or deliberately crafted messages to confuse you or lie to you. You never know. You cannot trust anyone.e

The problem of "money" or any other "social contract" is that everyone should be able to know what the majority agrees to without trusting some intermediaries (otherwise they can easily obuse their special position). If everyone votes for "X", then you sitting in a bunker must somehow independently figure out that all those other people indeed voted for "X" and not for "Y" or "Z". But remember: you cannot trust anyone's message and messages are the only thing you get from the outside world.

When two propositions arrive into your bunker, "X" and "Y", we have no trusted reference point to figure out which one is supported by the majority of other people. We only have "data in itself" to judge which one we should choose as the main one. To make things simpler we are not trying to apply subjective judgement to either proposition, but only trying to make everyone agree to a single option. In case of Bitcoin it is a reasonable assumption: everyone is owner of their money, so no one really cares which version of the history is chosen as long as their own balance is respected.

So how X should be distinct from Y that we know for sure that no one can accidentally choose Y, Z or W? First property: this data should be "recent". So we know that we are not sitting on some old agreement while everyone else has moved onto something else. Second property: any "recent" alternative should be impossible to produce. Because if it was possible to produce, then there is always a chance that some number of people could see it and accept that alternative. And you have no way to estimate how many such alternatives exist and how many people accepted it (because you are sitting in a bunker and you cannot trust incoming messages or know how many message did you miss).

How do we define "impossible"? It means either of two things: either it is logically impossible, or it is practically (economically) impossible. If it is logically impossible, than we can know all future agreements in advance (like a deterministic chain of numbers), just by using induction. But this does not work because we'd have to have some agreement about starting point in the first place. So we end up with requiring practical impossibility. In other words we need the following:

"Message X should be provably recent and alternatives should be practically impossible to produce."

Practical impossibility can be reframed in terms of "opportunity cost": there are limited physical resources and those should have been largely allocated to X than to Y so we can see that X sucked in all resources from any alternatives. Because if it didn't, then there is a huge uncertainty about whether remaining resources are used for alternative Y or they do not interfere with the voting process. Is it possible that X did not suck in a lot of resources while alternatives are still not possible? Then it would mean that X logically follows from whatever previous state of the system and there is no voting process needed.

Therefore: message X should be provably recent and should have employed provably big amount of resources, big enough that there are not enough resources left for any alternative Y to produce in a reasonably short time frame. Also, the message X should be always "recent" and always outcompete any alternative. Because we cannot reliably compare "old" messages: is Y an "old" one that was just delivered now, or was it produced just now after resources spent on X were released?

This logically leads us to the following: we should accept only the messages with the biggest Proof-of-Work attached, and that proof-of-work should be the greatest possible ever, so there would not be any possibility for any alternative to be produce in the short window of time. And that proof-of-work must be constantly reinforced or the value of previous consensus begins to fade quickly as the opportunity for alternatives grows.

Expensive, highly specialized computer farms is the most reliable way to achieve consensus. If we were to use non-specialized resources, it would be harder to gauge whether the majority of them are indeed used for proof-of-work computations. By observing that enormous amount of work happens in a very specific, easy-to-observe part of the economy, we can estimate how expensive it is to produce an alternative, equally difficult message. In case of Bitcoin mining farms, such an alternative would require a very expensive and complex production chain, requring either outcompeting other firms that use chip foundries or building single use datacenters in the most cost-effective locations on the planet (with the cheapest electricity, coldest weather, low latency connectivity etc.)

Conclusion.

If achieving consensus in a non-trust manner is ever possible in practice, then it is only possible with a Proof-of-Work scheme and highly specialized expensive production chains. Also, consensus is only valuable for a short period of time so it must be constantly reinforced.