Hello D5000,
Only a little observation (and that's why I comment here in the old thread): The attack monsterer described (old majority stakeholder(s) taking over the chain with a double spend) is essentially the same attack than a profitable 50+% PoS attack. In a profitable 50+% attack, you will wait for a few blocks selling your stake first (most likely in an altcoin exchange as they confirm the "reception" of the coins relatively fast) and only then try to "take over" the new chain with a prepared attack chain. Otherwise, very likely your stake would decrease in value. So, also in this attack, in the moment you take over, you don't own stake anymore (or at least, you aren't forced to own any stake).
The difference between "long-range attack" and "profitable 50+% attack" be the time between the actual double spend and the "takeover" (when the attack chain replaces the "honest" chain) but the attack mechanism is the same. But monsterer is absolutely right and this is the reason why PoS protocols are to be considered - until this is solved - weaker than PoW protocols. I consider this attack unpractical in a chain with many stakeholders and reorg limits or "rolling checkpoints", and it's likely to be very expensive, but it may be considerably cheaper than a PoW 50+% attack.
It is an interesting attack scenario, not sure if there is an official name for it, but let's continue calling it,
profitable 50+% attack. Stake based and derivative chains are more susceptible to it because, unlike PoW, a large number of blocks can be built in a short time.
The attacker must wait for a certain degree of finality (after his stake transfer transaction is placed in the chain) before launching this attack. The more uncertain a chain's finality is, the harder it is for the attacker since they have to wait longer.
Proof-of-Approval's (v2) features that may help or hurt against this attack are
- (hurt) Near instant finality - the attacker can launch the attack quickly after transferring
- Max stake transfer is limited per block so that entire 50+% stake cannot be transferred in 1 block. If the limit is set to 0.5%of total network stake, it would take the attacker 100 or more blocks to transfer.
- If the attack fork is larger than an epoch (epoch length vs stake transfer amounts are not yet finalized), then epoch approvals in the "real" chain would be larger than that in the attack chain and the real chain wins.
- If the attack fork is smaller than an epoch, the fork determination procedure as currently specified in v2, chooses higher stored approval in the topmost block. This makes such an attack possible.
A limit that has been considered and perhaps should be included in Proof-of-Approval is the max stake transfer per epoch. If that limit is set to something like 25% of stake, then this attack cannot succeed because of epoch approvals.
So, I plan to add stake transfer limit per epoch.
Shunsai
