Let me quote Balthazar on how Novacoin does it and utilize the thought process that's already gone into it and the scrutiny I'm sure it's been given. Original message is here : https://bitcointalk.org/index.php?topic=143221.msg2392797#msg2392797<snip> Flaws: - System will become slightly less energy efficient. But still more efficient than PoW-based system.
According to release plan, new algorithm will be introduced in 0.4.3, but will be inactive on the main network until 20 Sep 2013.  Yeah, but another flaw is that the protocol does not enforce alternation of PoW and PoS. Say an attacker somehow manages to make a chain that 100% alternates between PoW and PoS - it WILL have higher trust score and WILL overwrite the old chain. Also note that this type of attack will have lower energy cost than the network spent on its non-perfect chain. Perfect chain costs less (!!) than imperfect one. However, if we were to actually enforce such alternation, pools will be starving when PoS block should be generated. |
|
|
|
Please make sure you're using the latest wallet, which you can download off http://yacoin.org/. I know the seeds were different in the very first release. I know that this wallet works, even without any addnode lines in the config file because I don't have any and have 50+ connections in my wallet. with that said, here are the first three addresses in my peerinfo that allow inbound 89.151.191.81 194.190.198.22 5.104.106.18 Nah, his problem is that he closed the wallet before it connected to irc (failed on first try, 71s delay before next attempt and then he closed it). |
|
|
|
Another thing regarding chaintrust calculation:
Since reward considers difficulty and get's lowered with higher difficulty, private miners would produce higher supply in equal timeframe.
Not neccessarily true with eg. 50% PoS blocks in the attacker's chain. Relying of PoW difficulty itself might be ok, though - see the pastebin a few posts higher. |
|
|
|
Can we define the criteria that no one POS-block can orphan more than N POW-blocks? Where N for example = 7.
What we need is a proper way to calculate the chain trust. |
|
|
|
I had a similar idea a while ago (with no-consecutive-PoS rule, though): http://pastebin.com/L8THNBZ4Not sure if lowering the PoS interval would help us much. |
|
|
|
I can't seem to wrap my mind around it, why is POS untrustworthy and POW trustworthy? So I have to trust a miner who has millions and millions of hashing power that he will not generate dozens of blocks in a series? That happens now, everyday and no one seems to care.
You can generate PoS blocks without even trying and as it is now, they can "overwrite history", which is bad. For PoW, however, you must spend a lot of electricity so it actually costs you something (quite a lot) trying to change history. |
|
|
|
Could be an exchange, maybe.
That was my first thought too - It might be bter or crypsty. If it is, we should see coins coming and going from the wallet as well. If it's cryptsy's cold storage with YAC trading still disabled and some people too lazy to withdraw, though... |
|
|
|
|
Could be an exchange, maybe.
|
|
|
|
No, it's all because of absence of the correct chaintrust calculation.
So YAC needs correct chaintrust calculation.Proposed timestamps are without merit if a malicious miner is mining a longer low difficulty private chain with fake time stamps. If I understand correctly, this seems to be a key part to the problem. Yup. Guys, have you seen that address YPGNWtN4gHFDQUvU9eC8Xzss5JCyT1ozmv with huge bunch of YACs?
It has more than 25% of ALL YAC!
Can it be the Scam or is it normal?
It does seem a bit odd... Balance: 3,734,100 YACTransactions in: 6,781Received: 3,763,601 YAC Transactions out: 23 Sent: 29,501 YAC First Transaction: 2014-01-03 02:22:02Any of our big hoarders decide to move all of their coins to a single address? Most of the transactions are for the same amount; 3,000 5,000 or 10,000 YAC. That makes me (hope) that someone is just moving all of their coins to a single address for future minting. It looks like the wallet address was only created ~96 hours ago. I posted about this in the Yacointalk forum to try and keep the development talk on track - http://yacointalk.com/index.php/topic,559.0.htmlIt appears that someone is taking all their large inputs and sending them to this one address pretty much in every block. We've been talking about a POS attack requiring vast amounts of the coin, well, here's one address with exactly that Anybody investigated where the coins came from? Still haven't finished blockparser for YAC and I'm too lazy to do it manually.  |
|
|
|
This, however, results in the attacker's fake longer chain to have a timestamp from the future - possibly more than the allowed clock-drift (depends on the length of the faked chain. If the timestamp is higher than "now + allowed drift", then such block is rejected by the client - thus fixing this issue.
Nope, this maxClockDrift condition is just a sanity checking threshold against the node with invalid time settings. It's not necessary to publish a chain immediately, real attacker will be able to publish his chain in any moment of the future. And clockdrift condition won't be able to prevent this. It's just an additional measure to prevent (well, lower the risk) the live nodes from being fooled, so they can continue building on top of the valid chain. I can generate chain and publish it a month or even year later... And it will overwrite the main chain if there are no checkpoints added. Just because there is no way to make a difference between valid or invalid timestamps if these timestamps are in the past.
Yeah, but exactly HOW can you make a valid chain that's LONGER than the previous valid chain in SHORTER time while spending considerably LESS energy to do it? And now the same with hard checkpoints enabled. |
|
|
|
I've added a small fix that preserves the old block trust model for blocks <400k (oops). https://github.com/saironiq/yacoin-cc/commit/2a394a39c2133aa600b81580f587733b2498a01dI've also been thinking abount the issue Balthazar found (generating lower-difficulty fork from last checkpoint). The only way it can be achieved (the lower diff) is by faking the timestamps in the blocks (to keep diff low) and generating a longer chain than the current main chain. By faking the timestamps to be more distant from each other the difficulty is kept low. This, however, results in the attacker's fake longer chain to have a timestamp from the future - possibly more than the allowed clock-drift (depends on the length of the faked chain. If the timestamp is higher than "now + allowed drift", then such block is rejected by the client - thus fixing this issue. The only open question is how long can the fake chain be to fit into the allowed clock-drift window. One solution is reducing the nMaxClockDrift parameter in the code from the current 2 hours (!!!). I'd personally go for something like 15 minutes or so, as your system time needs to be faily accurate to even use HTTPS sites. Hell, even time-based one-time pads (TOTP) need clock accuracy to be within 1 minute (this is the thing you use for two-factor auth, eg. with Google's Authenticator)! And most operating systems keep the time updated for you automatically, anyway. It's just a simple change, see: https://github.com/saironiq/yacoin-cc/commit/ad5533d015ea910f4ebfb569f3065186b8923ae6 |
|
|
|
Good example of simple != better statement. It will help you for one threat, but opens another hole. Actually, such fix is less secure than calculate block trust using an original algorithm. It can be forked without a significant part of stake or hashpower by running a parallel chain at lower PoS & PoW difficulties. Because it makes no difference between coindays consumed or hashpower wasted. One CPU is able to beat the entire network. The same is true for Bitcoin. That's what the hardcoded checkpoints are for. That's not true, it seems that you don't understand Bitcoin quite well. 1. Bitcoin is able to make a difference between diff1 or diff2 blocks, one diff2 block can't be beaten with one diff1 block. 2. Hardened checkpoints only purpose is to be a trigger for signature checking optimization and protection against compromised ISPs. And you can disable hardened checkpoints verification in bitcoin. Fair enough. This will need to be changed, thanks. |
|
|
|
2) Enforcing a hybrid chain (with alternating PoW/PoS blocks) is IMO a bad idea as the protocol is set to 1-minute PoW and 10-minute PoS target. With my rules hybrid chain is the optimal way when trying to do 51% attack (as you can reduce the "51%" PoW hashing power needed by at most 50% if you have 100% active weight). Still, it would not be expensive enough to attempt, anyway - that's my justification of lowering PoS trust to the level of PoW (I'd lower it even more if only it didn't cause another sort of problems, which it would). It's all about finding the right balance, anyway.
It's not a "good" or "bad" way. It's how the things should be. Preferred, but not enforced chain. For example, you can use own function of blocks share here, to maximize trust score for 10:1 chain and minimize it for another candidates. Maybe, but your solution actually forces the whole network into running their own modified client in order to maximize profits - which, honestly, sucks hard. The non-programmer folk have a huge disadvantage here. EDIT: Assuming that you actually publicly release such modified client, it essentially becomes enforced (who would intentionally lower their profits?). Also, it definitely does not solve the orphaning issue we're facing now. As I stated before, PoS is useless without there actually being something in stake... Variable ROI isn't sufficient to prevent a malicious entity wanting to break the network entirely, anyway.
It's only a part of solution. It makes malicious activity to be a less danger for a network by increasing the share of coins participating in the network protection. 59% yearly interest for early adopters, sure. Screw the later-coming big investors when the PoS difficulty gets higher and interest lowers significantly. Good way to discourage promotion of the coin and thus adoption. Even Bitcoin isn't that harsh - and it was designed with huge early-adopter rewards to encourage fast adoption. Don't get me wrong, I'm not calling Novacoin an outright scam. Just don't agree with the economic model behind it. Good example of simple != better statement. It will help you for one threat, but opens another hole. Actually, such fix is less secure than calculate block trust using an original algorithm. It can be forked without a significant part of stake or hashpower by running a parallel chain at lower PoS & PoW difficulties. Because it makes no difference between coindays consumed or hashpower wasted. One CPU is able to beat the entire network. The same is true for Bitcoin. That's what the hardcoded checkpoints are for. |
|
|
|
Thank you for the work, I know there's a bounty for this, but a little extra was donated  Thanks, much appreciated! Just noticed the donation progressbar on yacexplorer ain't updating (guess that's because YAC is disabled on cryptsy, gah). |
|
|
|
Hi All,
I grabbed the latest github sources and built the master branch. Running yacoind, I would say about 90% of the connections I see stuff like:
11/19/13 15:21:03 Moving 72.12.81.222:7688 to tried
11/19/13 15:21:03 receive version message: version 60005, blocks=294457, us=23.94.28.23:49332, them=72.12.81.222:7688, peer=72.12.81.222:7688
11/19/13 15:21:03 trying connection 81.17.30.114 lastseen=0.0hrs
11/19/13 15:21:03 socket recv flood control disconnect (10136 bytes)
Curious why that happens....
That's kinda expected during the initial block download. A workaround is adding "maxreceivebuffer=500000" into yacoin.conf. This was the best advice I've received all week. So many coins have issues downloading the blockchain because the maxreceivebuffer is too low. Is there a need for a pool? You're welcome. A pool? |
|
|
|
Those changes look so simple ... They definitely are the least intrusive change to make.
When I was reviewing novacoin's code for their changes, they had a group of constants for each hard fork and it was done based on date instead of block height. I'm not sure why they would choose that as I would think that's something a bit easier to get around to avoid using new rules, but they continue to use it. I guess the thought is that most miners are honest and majority wins, right?
Yeah, if you use date/time instead of block height, the only way for dishonest nodes to wreak havoc is in the "time +- network-adjusted offset" period (a few hours at most) and it gets resolved pretty quickly after that. The block height method is less accurate, but more secure in this regard, that's why I've chosen it. |
|
|
|
Another issue is that YAC needs protection from 51% PoW attacks and with PoS trust=PoW trust we would loose such.
Bitcoin has a unique hash-algorithm so that the bitcoincommunity with their hardware can compute far more efficient than the rest of the world. This makes it extreme hard to attack it with standard computers. Cryptos like LTC are mined with a lot of GPU's which are also not that common.
A CPU on YAC has around the same hash/s as a GPU so a botnet could easily rape us without 51%protection from PoS.
This makes me belive that PoS trust=PoW trust isn't possible without some sort of checkpoints. Somehow I think we need some sort of CentralCheckpointing...
What do you guys think about the following:
A PoS blocks trust is limited to a singe PoWs unless it get's confirmed by CentralAuthority CA in the next block. Such CA only needs to send a txt to the owner of the previous block. This would limit the power of CA to reverse just a few blocks and could only be done once. Everyone that was online would notice such by having 2 different forks which both have a confirmed PoS block in it. Miners are usually always on.
In order to get rid of the Central thing we could allow everyone to send such txts for a fee. Only the authority with the biggest balance get`s accepted and will get a small % reward later on. A minimun for becoming a CA should prevent someone to fake beeing a legit member of our community and a thief would rather steal the whole adress.
If (or better since) this isn't enough damage for someone that abuses his power we could also go where it hurts. I don't see any problem if all miners would agree to never ever accept a txt from an adress that was used to scam the whole community by this. Since freezing funds would also be nessasary to have more than just one guy getting all the rewards this wouldn't go much further. Opening a box we should never even touch... Baaaaad.
EDIT:
Reward could be randomly given to one of the 10 biggest CA-candidates that participated based on howmuch coins they have. Since sending a txt from a wallet has to send the spare change to a new adress we shouldn't go by biggest balance, we should go by biggest output.
A cooldownperiod of [n(no of candidates)+5] PoS-blocks would allow all candidates to participate and reduce the damage a single wallet can do.
No need to add another signing as PoS works in a similar way, anyway. PoS was supposed to be a distributed check-pointing and look where it got us.  Would you mind elaborating a bit?
1) You have to maximize an active weight. It doesn't matter how you do so, but you have to do it for any price (even for constant trolling from ignorant kids), because that's necessary to survive. 2) You have to make attack energy expensive, in order to prevent free attack attempts. Otherwise user will be able to use OpenVZ and 10000+ wallet copies to make 10000+ attempts without any problem. NovaCoin maximizes active weight using a variable RoI and limited block reward. It also implements a variable trust idea, the consequtive PoS or PoW blocks has lower trust in comparison with a hybrid chain. Attacker have to generate a hybrid chain to make success. 1) I assume that by "maximizing active weight" you mean the "number of coins participating in PoS * their coin-age". That's quite difficult to achieve with such little adoption and in this early stage of initial coin distribution. I think we're better off (at least temporarily until YAC economy grows enough) to enforce the rules I proposed. They're easier to implement the right way and have a much lower potential of screwing something up hard. 2) Enforcing a hybrid chain (with alternating PoW/PoS blocks) is IMO a bad idea as the protocol is set to 1-minute PoW and 10-minute PoS target. With my rules hybrid chain is the optimal way when trying to do 51% attack (as you can reduce the "51%" PoW hashing power needed by at most 50% if you have 100% active weight). Still, it would not be expensive enough to attempt, anyway - that's my justification of lowering PoS trust to the level of PoW (I'd lower it even more if only it didn't cause another sort of problems, which it would). It's all about finding the right balance, anyway. Variable ROI isn't sufficient to prevent a malicious entity wanting to break the network entirely, anyway. As YAC uses a heavily CPU-friendly hashing algorithm, it would be a dumb idea to rely solely on PoW in the era of supercomputers and even the good ol' botnets. So the optimal attack scenario favors stake amount over hashing power to at least try to mitigate the motivation of breaking the netwrok entirely - by forcing the attacker to invest heavily into the coin beforehand, thus inflicting at least some sort of monetary costs to them (botnets are dirt-cheap novadays). Anyway, I've got the code changes ready. You're all invited to review them. https://github.com/saironiq/yacoin-cc/commit/acf917a2c42cb947b08a9a7878ceafd6045ea24c |
|
|
|
Rewards manipulation or denying the consecutive PoS/PoW blocks is not a solution. Disallowing consecutve PoS blocks seems pretty good at this point... why hasn't Novacoin PPCoin done it? I think everyone would agree that if it works, it would be a better solution than centralized check-pointing.
NovaCoin resolved this issue very very long time ago. Would you mind elaborating a bit? |
|
|
|
1) What's the benefit of disallowing consecutive POS blocks in contrast to, eg., just disallow more than 2 consecutive POS blocks? Allowing 2 consecutive POS blocks won't let big holders easily overturn confirmed transactions if POS and POW have the same trust value, right?
If we allowed max 2 consecutive PoS blocks, then every PoS miner has the ability to deliberately orphan a single PoW block at the tip of the chain (assuming the last two blocks were both PoW). Thus all transactions in that block will be reversed and allowed to be double-spent (not that big of a deal, as they had just 1 confirmation anyway, but still - it would be incredibly easy to do this so we better avoid it). 2) What's the benefit of disallowing consecutive POS blocks AND having the same POW & POS trust value compared with only disallowing consecutive POS blocks while still giving POS a somewhat higher trust value?
Case #0 - as it is now:I can choose any point in the blockchain that hasn't yet been checkpointed (hardcoded height and block hash in the source code) and place my chain of PoS blocks there. Should this new fork happen to have a higher trust value than the original, longer chain - it will be accepted as a new valid chain, orphaning millions of transactions in the process. This happens quite often and (I believe) accidentally - so you can see just how incredibly easy it is to abuse if you deliberately decide to do so. Case #1 - only disallowing two consecutive PoS blocks:Imagine the tip of the chain looks like this: (whatever)-S-W-W-W-W-W-S-W-W-W-W-W (S denotes PoS block, W is for PoW) I can now orphan the last 4 blocks by placing my new PoS like follows: (whatever)-S-W-W-W-W-W-S-W- SSo this is bad, too... Case #2 - make only the trust value equal:Again, we have a chain that looks like this: (whatever)-S-W-W-W-W-W-S-W-W-W-W-W Now I prepare a chain of PoS blocks that's one longer than the number of last N blocks I want to orphan. Eg. if I wanted to orphan last 10 blocks, I'd make a chain of 11 PoS blocks and hook it to the chain as follows: (whatever)-S-W- S-S-S-S-S-S-S-S-S-S-SEasy, isn't it? Case #3 - the proposed solution:None of the above flaws work here. So far I've been able to come up with only one theoretical flaw to this system - lowering the "51%" attack hashrate threshold by PoW-mining in cunjunction with PoS-mining - however, I believe it's not much of an issue as the attacker would need to own a significant percentage of active stake in the PoS system. The worst-case is 25% attack - and the attacker then would need to own 100% of active stake (if my math is correct). So it's more like work-stake trade-off and not an outright vulnerability. That's one more reason why we need more hoarders (and pools, too!). And remember - the way it is now costs a potential attacker near to nothing as he only needs some (very little) active stake. Bottom line: I've come to a conclusion that the current hybrid PoW/PoS blockchain system is crap and needs a complete rehaul to actually do the core functions it promised to provide (like increasing chain security by PoS checkpointing with stake actually being something that's in stake - right now staking coins doesn't mean a sh*t). |
|
|
|
|
Show Posts
