Proof of Stake Bitcoin?

[monsterer2]

Knowing the danger? The danger of sending your own funds to yourself? How is that a danger in any legitimate currency?

If this attack is known, then large holders will also know that they should avoid sending all their stake to themselves, and divide their stake in various outputs/accounts (depending on the currency type). And again: This kind of attack has only chances to succeed if the currency is very unevenly distributed.

The 'nothing at stake' attacks might sound theoretical, but more are being discovered all the time - it's only a matter of time before one is discovered that hasn't been patched over in one of the major PoS coins.

Please provide me some sources for new Nothing at stake attack variants. I am really interested. If there is one of them that also would work (without costing more than a 51% attack) in a well-distributed currency, then I may reconsider my stance on PoS.

Why would you expect joe public, who is the ultimate holder of said coin, who only has a basic understanding of cryptocurrency, to understand that they shouldn't send money to themselves? Seems like a pretty fundamental failing to me.

This attack is a new variant on nothing at stake.

Here's another one for you: death. Major stake holder dies unexpectedly; there go 50% of your blocks. Eventually, the coin will die out as it's major stake holders die in the physical world.

[1715409142]

1715409142

[1715409142]

1715409142

[1715409142]

1715409142

[1715409142]

1715409142

[1715409142]

1715409142

[d5000]

Why would you expect joe public, who is the ultimate holder of said coin, who only has a basic understanding of cryptocurrency, to understand that they shouldn't send money to themselves? Seems like a pretty fundamental failing to me.

So you think it's easy to tell thousands or millions of "average Joes" to send coins to themselves?
The only event I can imagine where massive sending of currency at the same time could occur is a generalized panic on exchanges (sending to other addresses should have the same effect, as the coins would have to "mature" there).

But for 51% to send coins the panic would have to be really massive, and these 51% holders would have to be online in a relatively short timeframe for the "blockchain stop" to occur.

I think it's an extremely difficult attack, even if you consider a short seller that wants to profit from it. And it doesn't fit really in the "Nothing at stake" category. A PoW/PoS hybrid coin, for example, would not be affected.

Here's another one for you: death. Major stake holder dies unexpectedly; there go 50% of your blocks. Eventually, the coin will die out as it's major stake holders die in the physical world.

Another one that is only feasible if there are few holders and distribution is very uneven.

[monsterer2]

Why would you expect joe public, who is the ultimate holder of said coin, who only has a basic understanding of cryptocurrency, to understand that they shouldn't send money to themselves? Seems like a pretty fundamental failing to me.

So you think it's easy to tell thousands or millions of "average Joes" to send coins to themselves?

As I said previously, you may only need to convince 3 people for this attack to work; it all depends on the distribution of staking coins.

In any case, that's beside the point. Why should joe public know not to send themselves money?

[aleksej996]

When it comes to uneven distributions, you shouldn't forget that majority of worlds money is in hands of top 1% (https://en.wikipedia.org/wiki/Distribution_of_wealth#Data_about_global_distribution_of_wealth).
It shouldn't be unreasonable to assume that distribution would be quite uneven. Plus we are talking about control of the coins here, not just ownership, which is even more centralized since you have banks and investment funds, where few control a lot of money.

[d5000]

As I said previously, you may only need to convince 3 people for this attack to work; it all depends on the distribution of staking coins.

Exactly, it depends on distribution - that's what I'm highlighting in every single post of this discussion. PoS coins that are badly distributed are weak and can be easily attacked, that's beyond question. And if a coin is so badly distributed that the "departure" of only three (or four, or five ...) stakers would already be critical, then one could assume that:

1) the coin is a very small cryptocurrency (basically, a failed one or a very young one, or one with a large premine);
2) these three stakers should know what they're doing, so they won't be "average Joes" but most probably crypto enthusiasts (like the coin developer and crypto investors, or crypto exchange owners). They should know about the danger.

In any other case (=in mature and active PoS cryptocurrencies), you must convince a larger group to act in a way that has not even a benefit for them. That needs advanced social engineering - or as I outlined, an expensive short-sell attack.

[aleksej996]

This world is quite old and still the distribution of wealth isn't even at all. This isn't due to any particular event either, the wealthiest man at the moment got rich relatively quite recently, so we shouldn't assume that coins will be more evenly distributed over time, maybe the near future, but in the very long run I wouldn't bet on it. Bitcoin should be designed to be here and stay for as long as it can.

[monsterer2]

1) the coin is a very small cryptocurrency (basically, a failed one or a very young one, or one with a large premine);
2) these three stakers should know what they're doing, so they won't be "average Joes" but most probably crypto enthusiasts (like the coin developer and crypto investors, or crypto exchange owners). They should know about the danger.

Those are some awfully big assumptions. Why chose a currency with all this extra, non-obvious risk-baggage associated with it?

[d5000]

Those are some awfully big assumptions. Why chose a currency with all this extra, non-obvious risk-baggage associated with it?

Only small or very badly designed Proof of Stake currencies would have these weaknesses.

Small PoW coins have a similar problem - they are also weak and can be attacked easily via 51%ing them because mining power typically is weak and very unevenly distributed. Even in stronger currencies this problem persists - there is often a pool or miner group that in theory could 51% the currency. I've followed the Segwit adoption in Vertcoin and Litecoin and there were often situations when a single address (pool or miner) mined more than 50% of the blocks of a day.

[kokojie]

This world is quite old and still the distribution of wealth isn't even at all. This isn't due to any particular event either, the wealthiest man at the moment got rich relatively quite recently, so we shouldn't assume that coins will be more evenly distributed over time, maybe the near future, but in the very long run I wouldn't bet on it. Bitcoin should be designed to be here and stay for as long as it can.

Well if the real world hasn't exploded from the bad distribution, what's wrong with having it in a Proof of Stake crypto? You think the current situation of 5-6 people controlling 90% of Bitcoin PoW hash rate is the ideal crypto utopia?

[yebolin]

I don't think so.Aiming at a series of problems, the future should have a solution.

[monsterer2]

Those are some awfully big assumptions. Why chose a currency with all this extra, non-obvious risk-baggage associated with it?

Only small or very badly designed Proof of Stake currencies would have these weaknesses.

Small PoW coins have a similar problem - they are also weak and can be attacked easily via 51%ing them because mining power typically is weak and very unevenly distributed. Even in stronger currencies this problem persists - there is often a pool or miner group that in theory could 51% the currency. I've followed the Segwit adoption in Vertcoin and Litecoin and there were often situations when a single address (pool or miner) mined more than 50% of the blocks of a day.

I don't follow your comparison to PoW; in a small PoW currency, the PoW will have been designed such that it is in incompatible with bitcoin's ASICs and hard to accelerate on graphics cards. Therefore, the initial distribution of miners will be the best it can possibly be.

Furthermore, PoW doesn't suffer from any of the problems listed here in this thread. Miners can come and go as they please, even a miner with 50% hashing power disappearing forever doesn't leave the currency dead in the water - it will eventually recover, the only consequence is an increase in confirmations required to accept a transaction.

PoS isn't permissionless like PoW is; you have to buy stake with which to produce blocks and once that stake is gone, it is gone forever. PoW converts electricity into blocks which anyone with a computer can do.

[aleksej996]

This world is quite old and still the distribution of wealth isn't even at all. This isn't due to any particular event either, the wealthiest man at the moment got rich relatively quite recently, so we shouldn't assume that coins will be more evenly distributed over time, maybe the near future, but in the very long run I wouldn't bet on it. Bitcoin should be designed to be here and stay for as long as it can.

Well if the real world hasn't exploded from the bad distribution, what's wrong with having it in a Proof of Stake crypto? You think the current situation of 5-6 people controlling 90% of Bitcoin PoW hash rate is the ideal crypto utopia?

Well the real world doesn't really have PoS, it is actually more like PoW. My point was that distribution probably will always tend to be uneven. Uneven distribution in PoS system adds a new vector of fewer parties controlling the system. That new vector is time of adoption of that stake, it this case adoption of cryptocurrency. If distributions always tend to be uneven then PoW and PoS will have that problem over time for whatever the reason that is occurring (might be natural selection at play or something else), the problem of centralization. However PoS will have it occurring for one more reason than PoW and that is the early adoption, like I said in my first post quoted below.

Proof of Work algorithm gives you the option to always get some coins.
In PoS system, early adopters hold the power forever, this is not a good long term strategy, since no body is perfect and nobody can be trusted.
In PoW everybody is equal in casting a vote regarding to time they joined the network, but still bounded only by the amount of electricity they have and since electricity can be traded, it means richest are the most powerful.
In PoS you can get bigger power to vote in two ways, you are an early adopter or you have a lot of coins currently. And since those coins can presumably be traded as well, that means the richest have most of the power in PoS as well.
So PoS has one more vector for reorganization, but the benefit of lower costs of the network.

I believe Bitcoin should stay PoW and I can't see a reason for it to make a switch. I don't believe security of it should be put on the risk for the benefit of saving some money. A natural system of who can bring more to the table is the best option we currently have to keep the blockchain safe.

I don't think Bitcoin is ideal crypto utopia, there are plenty of good advancements made in many altcoins, Bitcoin just takes a slow,stable and secure approach in it's development compared to other cryptos. Centralization of mining power is a very real problem in Bitcoin and that might be inevitable, however we should fight for the chance that it isn't. One of the biggest issues there is mining pools and some cryptos saw that and did their best to stop it happening it their own coin, using smaller block time target of couple of seconds and making it more accessible for more people to start mining, like trying to stop ASIC mining with new hashing algorithms. A PoS coin has no way to battle the initial distribution, it is a more likely a lost cause.

[27aume]

DO you guys ever think that bitcoin will do proof of stake? Just wanted to get some peoples insights on this.

Considering all the altcoin that are PoS and are based on BTC. I think its already done.
Its just a question of Bitcoin value over other PoS/PoW coin that arnt well known yet.
i think that in mass adoption PoS coin will have a lot more success so probably BTC will nto stay the #1 for eveer that my opinion.

[d5000]

I don't follow your comparison to PoW; in a small PoW currency, the PoW will have been designed such that it is in incompatible with bitcoin's ASICs and hard to accelerate on graphics cards. Therefore, the initial distribution of miners will be the best it can possibly be.

The weaknesses of small PoS and PoW coins are not the same ones. But botnets and cloud mining are two forms an attacker can use to get easily a majority for a short time in a small PoW currency. This kind of attack isn't free, but should be easier to perform than a history/long range attack on PoS currencies. However, I think you are right that a _very_ small PoS currency is probably weaker than a _very_ small PoW currency, if the PoW currency is using an ASIC/GPU-unfriendly algorithm.

Furthermore, PoW doesn't suffer from any of the problems listed here in this thread. Miners can come and go as they please, even a miner with 50% hashing power disappearing forever doesn't leave the currency dead in the water - it will eventually recover, the only consequence is an increase in confirmations required to accept a transaction.

As far as I know only some PoS algorithms have the problem to come to a halt after a large "stake rate" drop. Even then, a hard fork or a snapshot-based restart can save the currency. That would need a collective effort of the "validators", but it is comparable with the collective action Bitcoin miners took in March of 2013 to kill the fork that had been produced by BTC 0.8.

By the way: with Bitcoin Cash we saw that a extremely large hashrate drop in a PoW currency also can result in a "semi-permanent halt" - one block per 6 hours for a whole difficulty period, like at the beginning of the BCC existence would have made the currency almost unusable for a long time and it would probably have died. I know that is an extreme situation, but in my opinion we here are debating about gradual differences and not about a fatal flaw.

PoS isn't permissionless like PoW is; you have to buy stake with which to produce blocks and once that stake is gone, it is gone forever. PoW converts electricity into blocks which anyone with a computer can do.

I get that point. It's a theoretical disadvantage of PoS currencies, but in my opinion not a fatal flaw because currencies without a working market practically are not currencies, and so the option to "buy in" is as easy (in most currencies much easier!) than to mine a PoW currency.

When choosing between both systems, it has to be analyzed if this disadvantage is more important than the generally much higher cost of a PoW cryptocurrency node network because of the higher energy consumption.

[aleksej996]

Both algorithms are good for their own thing, in my opinion. PoS can make a lot of sense, it is a trade between security and cost, which is a very fair trade sometimes. That isn't to say that PoS is never secure, just that it is less then PoW, at least in the use as a decentralized currency. If the currency should be more centralized for some reason, then it is a win-win. But for a global currency like Bitcoin, I would say that PoW is a way to go.

[monsterer2]

PoS isn't permissionless like PoW is; you have to buy stake with which to produce blocks and once that stake is gone, it is gone forever. PoW converts electricity into blocks which anyone with a computer can do.

I get that point. It's a theoretical disadvantage of PoS currencies, but in my opinion not a fatal flaw because currencies without a working market practically are not currencies, and so the option to "buy in" is as easy (in most currencies much easier!) than to mine a PoW currency.

In the context of one of these attacks it is very different. How will you buy PoS coins from an exchange when the network isn't producing blocks? In this case, there is no way for the network to recover barring a hard fork, which is very damaging for a currency which is supposed to be decentralised.

You comparison to BCC is actually a very revealing example of how a PoW coin deals with a sudden and catastrophic drop in hash rate. Less blocks, slow recovery. If a PoS coin suddenly lost 95% of the staking power, a hard fork would have been the only way to recover.

[danBitcoin]

Initially I was hoping for a proof of stake Bitcoin as well. But then I realized that the best path for Bitcoin would be to move towards useful proof of stake, where the computations help the world somehow (like Gridcoin). Of course, they already help the world by confirming transactions, but more could be achieved.

[aleksej996]

Initially I was hoping for a proof of stake Bitcoin as well. But then I realized that the best path for Bitcoin would be to move towards useful proof of stake, where the computations help the world somehow (like Gridcoin). Of course, they already help the world by confirming transactions, but more could be achieved.

I would say that Primecoin might be a better example of a useful secure PoW coin. You get big primes as a result, which is always useful in cryptography. Since prime numbers are used in public/private key cryptography, it would be kind of like it is feeding it self Who knows, maybe one day we figure out how to make a nice switch in Bitcoin's PoW algorithm, that might take some time tho.

[bitKaBoom]

PoS is problematic on many levels and is extremely hard to deploy. Research on the topic is also scarce.

Miners have been shown to be problematic towards the long term health of bitcoin.

A more interesting point is how the bitcoin community lost the thought/research leadership in this area which is a real harm and probably more dangerous in the long term than most people think.

and how it could be dangerous?

[aleksej996]

PoS is problematic on many levels and is extremely hard to deploy. Research on the topic is also scarce.

Miners have been shown to be problematic towards the long term health of bitcoin.

A more interesting point is how the bitcoin community lost the thought/research leadership in this area which is a real harm and probably more dangerous in the long term than most people think.

and how it could be dangerous?

Early adopters control the system forever. All the problems of centralization apply. One point of failure and all that.