Proof that Proof of Stake is either extremely vulnerable or totally centralised

[monsterer2]

No, that estimation includes the threats by long range attacks (like the attack you described - the typical "old keys attack"), bribe attacks, short-range attacks and other known N@S-related scenarios. No one of these attacks is free, most of them are highly impractical (try to find people that sell you 50% of the staking amount in some moment of time) and, thus, expensive

Not sure I'd completely agree with that. More like between 0% and 3% would be a more accurate estimate.

[1713473771]

1713473771

[1713473771]

1713473771

[1713473771]

1713473771

[vanbang2cdduoc]

The attacker buys all keys at once, or very close together as stated in the description.

[d5000]

No, that estimation includes the threats by long range attacks (like the attack you described - the typical "old keys attack"), bribe attacks, short-range attacks and other known N@S-related scenarios. No one of these attacks is free, most of them are highly impractical (try to find people that sell you 50% of the staking amount in some moment of time) and, thus, expensive

Not sure I'd completely agree with that. More like between 0% and 3% would be a more accurate estimate.

If it was 0%, we would have seen many more attacks to Proof-of-Stake currencies.

I agree though that attacking small/weak Proof of stake currencies should be (in theory) very easy, as they mostly have a a very unequal distribution and few real persons behind the "stakers". So the attacker can be lucky to find a 10%-stakeholder who agrees to sell him his emptied keys for a low amount.

[WhiteOutMashups]

Yes everyone knew that PoS is a PoS :poo: since anyone with money can take it over

[d5000]

anyone with money can take it over

That is also true for PoW and all known consensus algorithms

The challenge is to obtain a high attack cost. PoS attack costs are more difficult to calculate than PoW's. But they're not necessarily lower. Social engineering is not free.

I've got some ideas how to achieve a serious estimation for PoS (or any other weak-subjectivity-based algorithm with N@S problem) attack costs, taking into account, for example, the current cost of fake social media accounts, hacking of websites (e.g. block explorers), malware distribution and also the cost of shorting large parts of the currency. One could also fake a request for "old keys" (simulating to be an attacker) to get some numbers about how many people would accept such an offer and how much they would like to get paid.

Imo, in PoS currencies the security level (=attack cost) is much more dependant on a healthy ecosystem than for PoW currencies.

[Zin-Zang]

Attacker sends request to PoS user for old keys,

PoS user agrees to sell/send old keys to Attacker only upon receipt of payment for keys.

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

[monsterer2]

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

What is funny is trusting any form of money where you have to rely on a hard fork in order to retain any sense of security.

[d5000]

In this case, if the checkpoint is included before the attacker "liberates" his attack chain, it's still not a hard fork. It's simply a typical "weak subjectivity" scenario.

But if he was successful and the reorganization to the attacker's chain would have taken place, then it is. This would be similar to Ethereum's ETH/ETC fork.

However, these scenarios are scenarios of last resort. They can also occur in Bitcoin, if a miner majority (or a minority, in the case of a soft fork) attempts to block an important upgrade, for example. I think most of us remember the "nuclear option" in 2017

The goal for PoS currencies is to avoid this scenario. I think it's difficult enough already in mature currencies. (Edit: And the mere possibility - and high probability - of it to happen already lowers the EV of PoS attacks, and thus the incentives for it.)

[aliashraf]

Attacker sends request to PoS user for old keys,

PoS user agrees to sell/send old keys to Attacker only upon receipt of payment for keys.

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

Actually, it is not a mitigation by any means.

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

[Ix]

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

This is misleading. It isn't possible to just hit the sell button on a "dominant share" of a coin. The market will likely collapse on the way to the exit which may already accomplish what you wanted to do anyway as a dominant shareholder. It is a criticism of lopsided distribution, not PoS. If distribution were not lopsided, then to achieve a dominant share there was a significant cost associated, and exiting that market will absolutely not be free.

Deride weak subjectivity all you want, but software checkpoints have zero actual cost and very low social and philosophical costs to anyone that isn't beating the PoW drum (which costs billions of actual dollars every year). Transactions will be dramatically cheaper on PoS and that will ultimately decide what people use - at least as an actual currency.

[Zin-Zang]

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

You purchase a dominant share of a PoS coin at higher market prices,
if you do a massive dump you crash those prices , meaning you LOST a Large % of your original investment.  
So that is a Huge Cost $$$.  

Now, the exchange that you sold on, most likely stakes their PoS coins, most do.
So all of those coins will be staking on that exchange until the buyers remove them.
Meaning the staking % of others plus the Staking % of the coins you sold on the exchange are staking.
Your old Private keys alone won't be enough to outstake your sold %, in addition to the other %.
Also other factors that would hurt your attempt is the fact proof of stake coins go dormant for different lengths of time according to their individual specs.

Never as easy as it seems , is it?  


FYI:
Even if someone crashes the price of a Proof of Stake coin,
Proof of Stake coins network require less than a few $1000 per month to operate,
and their Stakers can easily weather extremely long terms of a low price ,
as they can easily meet the monthly costs to continue a PoS coin until prices return to normal.

In Contrast :
If a PoW coin price crashes ,
PoW miners can only sustain their network for a short amount of time ,
less than 3 or 6 months on average for the majority before they have to shut down those energy wasting ASICS.
IE:
If the input cost to mine a Bitcoin is $3000, and the miners can only receive $1000 per bitcoin,
within a few months the bitcoin network will be dead as the miners can only afford to lose money per block for a Limited time.
Where as Proof of Stakers can continue indefinitely to keep their network running.
Which is why in Business a person always needs to monitor input costs , if they want to keep their business.  

*If someone ever compromised Satoshi ~1 million coin Bitcoin Wallet, they could easily keep bitcoin price in the unprofitable range long enough to kill it.*
Plus Satoshi Wallet is less than 5% of the total 21 million coin allowed, which means PoW coins are more susceptible to being destroyed by as little as 5% to make the coin production unprofitable and kill it's network, due to their insane input costs.  

*Just another reason Proof of Stake is superior to Proof of Work in the long run, INPUT COSTS to maintain their networks.*  

[monsterer2]

In this case, if the checkpoint is included before the attacker "liberates" his attack chain, it's still not a hard fork. It's simply a typical "weak subjectivity" scenario.

But if he was successful and the reorganization to the attacker's chain would have taken place, then it is. This would be similar to Ethereum's ETH/ETC fork.

I agree with everything you've written, apart from the fact that it gives validation to the idea that having the community vote to create a hard fork is in any way acceptable for a currency that's supposed to be decentralised.

[seoincorporation]

I read some good points on this thread, the attack isn't easy at all, but is possible. And the attacker doesn't need more than 51% of the network to make the attack, he only need the old addys, and as you say, this is a big vuln based on the main characteristics of the PoS system.

Honestly i don't think we will see this attack, but is good to know it's possible, maybe that way developers can think about what to fix in the next update.

[d5000]

I agree with everything you've written, apart from the fact that it gives validation to the idea that having the community vote to create a hard fork is in any way acceptable for a currency that's supposed to be decentralised.

I consider it acceptable as a "measure of last resort", as I wrote - and as a way to dis-incentive these kinds of attacks. I also think UASF's are legit as a last resort protection from malicious miners, and both measures are pretty similar.

What @aliashraf wrote is, technically, very close to a "51% stake attack". You would need to hold at least 10% - more likely about 15% - of the currency in one moment. And in this case I agree with Zin-Zang that the acquisition and also the selling of the coins would be very difficult, even including shorting, because of the influence on price (and more so if there are rolling checkpoints and your attack window is small).

I think for a PoS attacker it is more promising to continuously try short-range attacks and confuse the currency holders about the "best chain" to follow, and then launch a larger attack, shorting a large number of coins - in this case 3 to 5% of the stake should be enough to create a lot of confusion and potentially be successful with the attack, leaving a hard fork as last resort. In a chain applying TaPoS/Economic Clustering (like NXT/Ardor) however that becomes more difficult as nodes would simply follow the chain of the big exchanges, and in some algorithms like Cardano it may be close to impossible.

[Zin-Zang]

So much for PoW Security.  

https://cointelegraph.com/news/bittrex-to-delist-bitcoin-gold-by-mid-september-following-18-million-hack-of-btg-in-may

While Bittrex has blamed BTG’s Proof-of-Work (PoW) consensus as a factor that led to the double-spending attack,

Crypto exchange Bittrex will delist Bitcoin Gold (BTG), a hard fork of Bitcoin (BTC), by September 14 following an $18 million hack of the BTG network in May, The Next Web reported September 3.

Founded in 2007, the hard fork cryptocurrency Bitcoin Gold has suffered a “double-spending” hacking attack that reportedly allowed the unknown hijackers to take control of more than 51 percent of the BTG hashrate.
The attack, which reportedly started on May 18, 2018, has managed to amass more than $18 million in Bitcoin Gold from various exchanges, including Bittrex.

Following the hack,
the Bitcoin Gold team explained that the attacker was deploying the combination of a 51 percent and double-spend attack in order to defraud crypto exchanges.
They noted that the hacker was targeting exchanges since they “accept large deposits automatically, allow the user to trade into a different coin quickly, and then withdraw automatically.”

Specifically, the attacker was making large BTG deposits on exchanges, at the same time sending the same funds to his own crypto wallet.
By the time the exchanges realized that the transaction was invalid, the hacker had already withdrawn funds from the exchange and doubled his original funds.

https://www.ccn.com/bitcoin-gold-hit-by-double-spend-attack-exchanges-lose-millions/

The last transaction was sent on May 18, but
the attacker could theoretically attempt to resume it if they still have access to enough hashpower to gain control of the blockchain.

Bitcoin gold’s developers advised exchanges to address the attack by increasing the number of confirmations required before they credit deposits to customer accounts.
Blockchain data indicates that the attacker successfully reversed transactions as far back as 22 blocks

As CCN reported, a miner manipulated two of privacy coin verge’s five hashing algorithms to maliciously mine more than 35 million XVG — worth ~$1.75 million — in just a few hours.
Previously, Japanese cryptocurrency monacoin was hit by an apparent block withholding attack after a miner gained as much as 57 percent of the network’s hashrate.

[d5000]

PoW attacks are, indeed, very easy in coins using an algorithm where mining is possible with ASICs used also to mine Bitcoin or another major coin. The owners of a large farm only have to mine a coin with a "matching" algorithm, double-spend, 51% it and go on to the next one.

But this is not something that affects PoW as a consensus principle. Bitcoin is safe from this kind of attacks, Ethereum too, and even Litecoin.

As most other coins are not safe from the "chain-hopping" attack, a PoS addition may have even a positive effect. While it doesn't add much security (because small PoS coins are also very weak), the attack becomes more complex because the attacker also has to acquire coins or old keys.

[Zin-Zang]

PoW attacks are, indeed, very easy in coins using an algorithm where mining is possible with ASICs used also to mine Bitcoin or another major coin. The owners of a large farm only have to mine a coin with a "matching" algorithm, double-spend, 51% it and go on to the next one.

But this is not something that affects PoW as a consensus principle. Bitcoin is safe from this kind of attacks, Ethereum too, and even Litecoin.

That my friend is the illusion that is a false belief.

Bitcoin or Ethereum or Litecoin are only as safe as the miners that collude to form at least a 51% majority.

If at anytime , the profit / incentive sways from protecting Bitcoin or Ethereum or Litecoin to attacking them ,
since the PoW miners are selfish in motive (Greed/Profit), they will switch as they consider their ASICS more valuable than the coins they produce.

IE: Bitcoin is Completely Safe as long as the Chinese Miners Agree it is.
Just as Paypal is safe as long as their centralized control agrees it is.
In both cases we are trusting 3rd parties to secure our transactions. [In Proof of Stake , we can buy enough coins to secure our own transactions.]

You are not Trusting the PoW Consensus design , you are trusting the over 51% colluding ASICS miners to secure the coin.

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

While a PoW network can be controlled 100% of the time, by over 51% collusion,
A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.    
* Plus you can sell your PoW coins and have no effect on your 51% PoW dominance, while in Proof of Stake selling coins decreases your PoS %.*



FYI:
https://www.coindesk.com/blockchain-immutability-myth/

Nonetheless, it's important to remember that each node is running on a computer system owned and controlled by a particular person or organization, so the blockchain cannot force it to do anything.
The purpose of the chain is to help honest nodes to stay in sync,
but if enough of its participants choose to change the rules, no earthly power can stop them.

That's why we need to stop asking whether a particular blockchain is truly and absolutely immutable, because the answer will always be no.
Instead, we should consider the conditions under which a particular blockchain can be modified, and then check if we're comfortable with those conditions for the use case we have in mind.

FYI2:
Currently with PoW, people pay a transaction fee to have their transaction included in a block.
What if the miners decided it was more profitable to offer others the ability to pay to block an address from completing a transaction, and make people bid against each other one person trying to include a transaction and the other wanting it excluded.  
By doing so they increase their profit margin, and they are selfish miners after all.

So if you did not have the ability to add transactions to blocks, you be suffering at their whims.

IE:
You own the bank a payment on your credit card on tuesday , , you send the bitcoins to their payment address on monday.
What you don't know is they paid the colluding miners a fee to delay any transactions going to their payment address for a few days.
The Bitcoins you sent are stuck in transit , just being ignored and not released.
After the time limit has passed the credit card payment is allowed to arrive , but not before you have been hit with late penalties and additional fees.

[d5000]

If at anytime , the profit / incentive sways from protecting Bitcoin or Ethereum or Litecoin to attacking them ,
since the PoW miners are selfish in motive (Greed/Profit), they will switch as they consider their ASICS more valuable than the coins they produce.

IE: Bitcoin is Completely Safe as long as the Chinese Miners Agree it is.
Just as Paypal is safe as long as their centralized control agrees it is.

There is no way to create a 100% safe coin. That's why I also wrote that I consider a "last resort hardfork" or UASF, changing the mining algorithm (to throw off the miners using a distinct ASIC model) a legitimate action.

However, I still consider PoW superior to PoS, because attack cost is more predictable. I have written that I estimate attack costs to be similar between PoW and PoS. But in PoS, the calculation is not easy, because there are much more variables to take into account. Perhaps monsterer is right and a certain variable combination results in a comparatively cheap attack.

My favourite for the moment is the combination of PoW, PoS and PoB.

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

If you mean 51% of total stake, this is false. If you can control 51% for a certain time, you can easily secure permanent 51%. It is even worse than with PoW, because in PoW you need to waste electricity to preserve the 51%, in PoS you don't.

If you were referring to an attack with e.g. 10-15% of the total stake having 51% of the "currently active stake", then you may be right - the other coin holders could connect to the network and stop the attack.

A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.

No. Nothing stops the attacker to use several addresses for his attack.

* Plus you can sell your PoW coins and have no effect on your 51% PoW dominance, while in Proof of Stake selling coins decreases your PoS %.*

OK, this is true. But a single 51% attack may cause enough damage that the confidence in the coin would be severily affected. Even if it doesn't mean it "dies", it may never recover its original importance.

And the attacker could even preserve his (emptied) keys to launch "long term attacks" like the one monsterer described.

[Zin-Zang]

There is no way to create a 100% safe coin. That's why I also wrote that I consider a "last resort hardfork" or UASF, changing the mining algorithm (to throw off the miners using a distinct ASIC model) a legitimate action.

However, I still consider PoW superior to PoS, because attack cost is more predictable. I have written that I estimate attack costs to be similar between PoW and PoS. But in PoS, the calculation is not easy, because there are much more variables to take into account. Perhaps monsterer is right and a certain variable combination results in a comparatively cheap attack.

My favourite for the moment is the combination of PoW, PoS and PoB.

Combining Consensus methods does not combine their strengths , it combines their weakness.
 

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

If you mean 51% of total stake, this is false. If you can control 51% for a certain time, you can easily secure permanent 51%. It is even worse than with PoW, because in PoW you need to waste electricity to preserve the 51%, in PoS you don't.

If you were referring to an attack with e.g. 10-15% of the total stake having 51% of the "currently active stake", then you may be right - the other coin holders could connect to the network and stop the attack.

If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.
Which is why I say PoS 51% is only in control for a limited time and the staking % drops as soon as you use it for a specified time period.
Even with 51% you can't control a PoS coin 100% of the time like a PoW coin.
PoS coins with coin age are even harder to predict, as one old friend said , Proof of Stake is Secured by Chaos itself.

A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.

No. Nothing stops the attacker to use several addresses for his attack.

Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.
They can't generate new blocks until they are no longer dormant.

And the attacker could even preserve his (emptied) keys to launch "long term attacks" like the one monsterer described.

monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.
Target difficulty / Modifier Intervals / Coin Age /  Blocks required / Block Propagation timing / Tricking nodes into a reorg

Not only is it incredibly complicated, it can all be blocked with Random Checkpoints or rolling checkpoints
or even if the main chain just maintains a higher coin age than the attacker's chain.
*Also the fact that the sold coins will probably be staking on the main chain after being sold, gets lost in translation.*

So forgive me, when I ignore his concerns, I did offer him the opportunity to prove his theories, but he declined.  
 

FYI:
As you mentioned in an earlier post , Short Range attacks are the best chance for an attacker, but that is in PoS or PoW.
The complications of a Long Range attack grow with every day that passes, for PoS or PoW.

[monsterer2]

monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.

Have you even read the OP? This attack is not long range, its short range - below your precious reorg depth limit.

Even the most pessimistic cost assessment puts this attack at 3% stake.