Proof-of-Stake Isn't Trustless Because It Has No Time ObjectivityOut of all
the analysis that has been done on proof-of-stake aka
PoS (and all variants such as Bitshares' and Lisk's
DPoS, NEM's
PoI, and Vericoin's
PoST), the most salient flaw is that
a PoS history has no verifiable longest chain.
This is important because it means the only possible way to enforce which is the valid chain is either via the externality of adhoc social agreement (which might include checkpoints and what Vitalik referred to as
"weak subjectivity") and/or control of the majority of the stake by colluding whales. In both cases, this means the
PoS block chain is not permissionless, trustless and is instead a forkable top-down controlled arbitrator which can't be trusted to honor the protocol, as evident by for example Ethereum forking itself to undo the protocol of the DAO contract
because some of the users of Ethereum wanted to violate the protocol. The ability to fork the block chain is a
power vacuum, meaning that it will always
attract those who are powerful enough to lie to the masses and promise them everything they want, i.e. we are right back to flawed paradigm of fiat and democracy which was what block chains were supposed to liberate us from by being trustless and immutable.
Readers please make sure you re-read the above two paragraphs slowly (and several times if you have average reading comprehension skills) to fully comprehend/absorb the gravity of it.
The reason
PoS's history is non-objective and indeterminate is because
there exists no P2P clock without the randomness of PoW. Meaning that there is
no way to determine via math which event occurred when in time order, without trusting some nodes who were online at that time to report to you their perspective of the truth (which even with their honesty might not be the objective truth due to each node having a differing subjective perspective due to propagation delays and network hiccups).
In PoS, the Nash equilibrium is destroyed, because nodes have many game theory strategies for profit other than mining only on the objective longest chain. For example (and the example cases are too innumerable to enumerate all, e.g.
the deterministic ordering due to the lack of randomness in the block event), Vitalik incorrectly argued that
the costless "nothing-at-stake" problem could
be fixed with deposits, but the confiscation of deposits can be undone by the attacker who has another "longer"
long range attack chain lying in wait without the confiscations (unless the community is using adhoc checkpoints which is itself a violation of Nash equilibrium due to granting centralized control) and/or the strategy of forsaking the deposit while doing some malfeasance and then shorting the token to make gains.
Although
PoS nodes can agree to adhere to
NTP for timing, there is no way to prove that each successive designated node issued a block on time. There can only be discord and disagreement, because there is no mathematically objectively verifiable truth. This is a power vacuum as described in the second paragraph above. Although
PoW needs to employ
NTP (or some other form of consensus on time) to periodically adjust the hashrate difficulty, the exact precision can be decided by the node that wins the block that makes the adjustment and the other nodes need only to not mine on that block if the precision is too far from a reasonable tolerance zone. The mathematically verifiable agreement is thus encoded in the PoW longest chain.
Note Ethereum is (at this time) proof-of-work (aka
PoW) and is planned to be hard-forked. There is a valid argument that when the developers of a
PoW block chain have too much influence ("Vitalik is God"), have created a Turing-complete block design that commits to egregious failure (even after they were warned for 2 years by many experts of the certain failure of doing so) enabling the protocol-compliant transfer of $millions from unwitting n00bs in one swoop, and 51% of the miners are either highly centralized into an oligarchy (i.e. Bitcoin = ChinaCoin) or
not comprised of every user that wasn't subject to the failure, then
such degenerate PoW block chain systems are indeed not trustless thus not trustworthy and will of course die. But please note that some allege that Poloniex was using its huge store of ETH to influence the vote on the hardfork, because
apparently Ethereum's developers organized the vote to be by ETH stake and not by mining hashrate.
There will exist all sorts of schemes to try to obscure the fact that
PoS isn't objective nor trustless. For example, NEM's
PoI intertwines some computation of frequency of transactions to try to rank stake by their "importance" to transaction use (although it is not clear that this can't be gamed to pay transaction fees to oneself as a whale stakeholder and even if transaction fees are burned to ether) but this doesn't change the fact that (no matter how modulated) stake has the insoluble nothing-at-stake and non-objectivity flaws. Ditto Vericoin's
PoST which modulates stake by some time function
to make large stakes less potent against small stakes in forking. Although it is claimed that
DPoS is only vulnerable to the Long Range Attack, this is misleading because it still means
DPoS is not a trustless block chain because the
"weak subjectivity" requires adherence to the adhoc social majority and voting by stake is in control of any decisions to fork the block chain to modify the protocol.
After the hack of Mintpal [13] that resulted in approximately 30% of total VeriCoin supply being stolen from a centralized, security deficient exchange, we experienced directly the inherent weaknesses of both centralization, as well as the Proof-of-Stake system. When a dishonest entity captured enough coin to control the vast majority of the consensus and potentially exploit the system, we, along with the community, opted to hard-fork the blockchain to prevent this attack. With or without age, this potential attack could not have been stopped.
Tangentially note NEM's
PoI appears to have the opposite of the
positive impact of Peercoin's coin age modulation of stake.
Note
Selfish Mining is claimed to be an attack that is present for PoW and not PoS, but in my overhaul of Satoshi's design wherein I will introduce unprofitable PoW (which also fixes the centralization problem of Satoshi's design), then selfish mining is no longer applicable.
I don't agree with smooth's claim that the mining nodes can't fork the block chain without the support of the users who transact; because users need to be on the longest chain else double-spends on the competing forks will force payees to recognize only the longest chain.
Daniel Latimer also acknowledged that PoS doesn't mathematically prove anything about elapsed time ordering. However, he presumes that every PoW block chain will be subject to politics, because he assumes every PoW block chain will have unresolved problems that require a hard fork. I don't subscribe to his assumption, because I have in mind a design which doesn't have these unresolved issues.
Proof-of-Stake's anti-DDoS Is Exponentially More ExpensivePoS has another major flaw in that since the nodes which will sign the next block are known deterministically, then the anti-DDoS infrastructure has nodes×nodes infrastructure, i.e. nodes×nodes more duplication (because the natural decentralization of the nodes is not sufficient to absorb the DDoS):
@iamnotback I do not want to quote your large DPOS statement however I do have a few questions. You understand code and crypto better then most of us.
The BitShares website states that the block witnesses are shuffled based on two different criteria. "The slate of active witnesses is updated once every maintenance interval (1 day) when the votes are tallied. The witnesses are then shuffled, and each witness is given a turn to produce a block at a fixed schedule of one block every 2 seconds. After all witnesses have had a turn, they are shuffled again. If a witness does not produce a block in their time slot, then that time slot is skipped, and the next witness produces the next block."
Is there something in the code or explorer that would let us know exactly which witness is set to produce the next block ahead of time? Even with a DDOS, a witness should have multiple instances ready to take over on different physical machines/locations. That should mitigate that attack vector. Granted if EVERY witness were unable to produce a block, the network would come to a halt and users would not be able to cast a vote (transaction) to vote in new witnesses. The chances of that happening I would believe are very slim. According to the documentation stake holders can increase the number of witnesses by vote.
You do have a home run point about PoW in that anyone at anytime can setup a full node etc... Hurry up and code!!!
DPOS is an innovation. I am not trying to imply it has no worth. It may be the best for scaling that is available right now.
Since the ordering of the nodes which can produce each block (aka 'witnesses') is known a priori, then yes this information must be public otherwise the other nodes (even non-witness nodes) wouldn't know which witnesses has the right to produce that block.
I agree that a witness could in theory set up many IP addresses on many hosts to absorb DDoS attacks, but this is very expensive if every witness has to duplicate all this infrastructure. And so naturally it force the witnesses to collude to share costs, so then you no longer have a decentralized, permissionless system.
Also PoS (including DPoS) is basically a permissioned, centralized system, because the whales will control it.
If we just wanted a centralized, persmissioned system, then we don't need block chains. We could do that more efficiently. We have it already, it is named Paypal.
The only way you scale this globally, is if nobody owns it. This is why Paypal can't disrupt the existing financial structure of the world. Too many vested interests fighting turf battles.
Proof-of-Stake "Wastes" More Resources than Proof-of-WorkAs a
PoW block chains initial distribution completes, then mining costs are funded by transaction fees. So the security of
PoW is dependent on scaling up transactions. Yet transaction fees must be a small % of the transaction value, so the cost of security is small. This does require a
PoW block chain to be very popular.
PoS is admission that the block chain is not intended to scale up (because it will blow up and be attacked at large market caps due to being a power vacuum failure just like fiat and democracy).
PoW and Proof-of-Burn are the only way to distribute coins that doesn't centralize the expenditure of the resource to a designated set of people (as in an ICO). So in that respect, the waste of expenditure on electricity is justified by the lack of centralization of the resources expended. Also
instant distributions (ICOs and coin drops) are antithetical to developing a critical mass and a successful coin (Ethereum
avoidedslightly mitigated this by adding
PoW mining distribution to follow their ICO).
In terms of ongoing security funded only by transaction fees (no distribution of new tokens),
PoS wastes the resources on gaming strategies (some of which
might even be as computationally expensive as PoW), on the
liquidity opportunity cost of bonded deposits, and one can argue wastes the entire ecosystem on a consensus system that is a power vacuum failure.
Any block chain consensus system which has 0 transaction fees can't provide a longest chain of
PoW and thus will break Nash equilibrium. Even in my unprofitable
PoW overhaul of Satoshi's design, it is not possible to make transaction fees 0 because the payers still have the cost of producing
PoW. Without
PoW, one must have some variant of
PoS, which I already explained can't maintain Nash equilibrium.
Hopefully I have justified to why I refer to
PoS as
P(iece)o(f)S(hit).