[Megathread] The long-known PoW vs. PoS debate

[Wind_FURY]

Here's another shower thought. What if a developer builds, and bootstraps a new cryptocurrency network based on POS, and if you want to join the network as a validator, you can buy the tokens, BUT, only through Bitcoin.

Isn't this Merged mining Proof of Stake?

No, I didn't think of it that way, just simply if you want to participate in the hypothetical POS Network, you need Bitcoin and can ONLY use Bitcoin to receive the POS token.

Does that make the new POS cryptocurrency network backed by Bitcoin's POW?

It is definitely backed by bitcoin, and since bitcoin relies on PoW, it's indirectly backed by PoW. Not something "environmental evangelists" like LegendaryK are going to support of.

Bitcoin needs to be mined, to buy the POS token.  

So... Why don't you buy bitcoin?

You can buy if you want to, but the context still is, all Bitcoins in existence are created into existence as block rewards received from mining.

[stwenhao]

No, I didn't think of it that way, just simply if you want to participate in the hypothetical POS Network, you need Bitcoin and can ONLY use Bitcoin to receive the POS token.

That's the plan: to have a network, where you can receive coins, only if you sign your bitcoins. Of course someone else could sign its own coins on your behalf, there is no way to stop that.

You can buy if you want to, but the context still is, all Bitcoins in existence are created into existence as block rewards received from mining.

Yes, but the current difficulty means that a lot of energy has to be used. It is possible to convince people to turn off their miners gradually (by convincing them that they can earn more by making signatures and staking their bitcoins), so the difficulty would gradually reach the minimal value. Then, it is possible to protect the whole network mainly by Proof of Stake, and leave a little protection of the Proof of Work, just to make it backward compatible.

[BlackHatCoiner]

I don't need any new coins. Each validator can take fees, in the same way as LN nodes take fees.

If each validator takes fees in the same way as Lightning, then it's the same kind of Proof-of-Stake. Proof-of-Work and Proof-of-Stake are mechanisms used to tackle decentralized minting and transaction processing. If your PoS-sidechain idea excludes the former, then I don't understand how it's different.

Yes, but the current difficulty means that a lot of energy has to be used. It is possible to convince people to turn off their miners gradually (by convincing them that they can earn more by making signatures and staking their bitcoins), so the difficulty would gradually reach the minimal value.

I don't see how's that the case. The moment a block is solved, it stops having a cost. The miner can stake those coins, but there's nothing discouraging him to continue mining. If it's profitable to mine, and earns extra income from staking, I don't understand why not doing both.

Also, if difficulty reaches the minimum value, the main layer has no security, and along with it, all the sidechains as well. Unless your proposal is to move to another layer gradually.

[stwenhao]

If each validator takes fees in the same way as Lightning, then it's the same kind of Proof-of-Stake.

Yes, it's the same kind of Proof of Stake, but it has a chain. And that difference allows direct payments between participants, and that's the key difference between my proposal and Lightning Network: it is like if you could watch all channels and their state. Also, in this case, no watchtower is ever needed, and mining is also possible, because if you can watch all channels and transactions, then you can collect all of them, make a sidechain block out of it, and sign it, then you take all fees from all users as your reward (by default your reward is zero, and can be increased by validating transactions). So, the situation is clear: people can wait a long time for mainchain confirmation and pay on-chain fees, but they can instead use minimal on-chain fees, and pay much less, to have it signed by stakers. In this way, the stakechain can fill the gap between zero and the first confirmation, for a few satoshis you can get it validated, instead of accepting zero-confirmation. No coins will be created out of thin air, users will agree voluntarily to move their coins into stakers' hands, just by signing transactions.

I don't understand why not doing both.

You can, I guess that will be the case during bootstrapping, then people will find a good balance between that, and will see that staking can give them more profits, while having less power requirements, because then no mining equipment is needed. It will be a gradual way from 100% mining and 0% staking into 1% mining (the minimal difficulty is one) and 99% staking.

Unless your proposal is to move to another layer gradually.

It has to be gradual, because instant change will be rejected by Proof of Work enthusiasts. They don't want to switch immediately, they have to be convinced over time, that a different system is better, and can reward them with more coins.

[tadamichi]

I don't need any new coins. Each validator can take fees, in the same way as LN nodes take fees.

If each validator takes fees in the same way as Lightning, then it's the same kind of Proof-of-Stake. Proof-of-Work and Proof-of-Stake are mechanisms used to tackle decentralized minting and transaction processing. If your PoS-sidechain idea excludes the former, then I don't understand how it's different.

Btw this wasn’t my quote.

I think this also opens the question of incentives and security. Sidechains always have a dilemma, they need to move an existing asset into a weaker form of security.

In the case of a PoS sidechain the security will be based on how much capital is inside it, let’s say it starts out with 200.000 € worth of Bitcoin locked inside. It would be easy for any whale, to take control over the network in the beginning. And in general the amount of capital required to make a majority attack on a PoS sidechain, would always be less than the amount of capital that’s inside it, this is different than on a PoS main chain, because the value that’s destroyed on the sidechain makes the attackers holdings worth more on the Bitcoin main chain. He could destroy 200k with just putting 101k in. This would actually make attacks that wanna destroy the side chain profitable.

Then my question is, because im not that familiar with how PoS and bridging in a side chain will work: can an attacker who controls majority of the capital send everyones funds back to the main chain, or make the coins inaccessible forever?

Isnt the whole promise of sidechains, we’re used less, so we can offer services more cheaply? But this incentive to even use them falls apart once they gain traction, because then they face the same problems as the main chain. In terms of scalability, decentralization and security.

It has to be gradual, because instant change will be rejected by Proof of Work enthusiasts. They don't want to switch immediately, they have to be convinced over time, that a different system is better, and can reward them with more coins.

I still don’t understand how this is economically possible. Sure, staking is cheaper and easier for validators, but if the task is providing security and consensus, and this method cant do it, then how was the task solved?

- You can’t have higher fees or the side chain won’t get used.
- If the side chain has more throughput and thus make the average transaction cheaper, it will suffer the centralization problems, the main chain is trying to avoid.

How will they get more coins? There’s a limited amount of coins, more coins means you gotta worsen the distribution of it. How isn’t PoS more and more concentration of wealth at the top, automatically built-in, no work required? This fate is set by the system, there’s no competition that can change it. Lightning is completely different it’s competitive and takes skill and planning to run successfully, it doesn’t work on the premise to give people more fees, sure the highest capital nodes can get more fees, but there can still be competition from smaller nodes, because most people won’t be needing to send high amounts everyday. It actually helps the main chain, instead of being in competition with it, both balance each other out.

[BlackHatCoiner]

Yes, it's the same kind of Proof of Stake, but it has a chain. And that difference allows direct payments between participants, and that's the key difference between my proposal and Lightning Network.

We still don't know most of your network's details, though. For example, Proof-of-Stake-alone systems (can) suffer from subjectivity, as I've said in the OP. The Lightning Network doesn't; you can't double-sign transactions.

It will be a gradual way from 100% mining and 0% staking into 1% mining (the minimal difficulty is one) and 99% staking.

This just doesn't sound right.

then people will find a good balance between that, and will see that staking can give them more profits

Miners' income comes from mining, where there's a cost. Staking coins has no cost. Therefore doing the work and staking will always be more profitable than staking alone. (If miner's income is greater than the cost)

can an attacker who controls majority of the capital send everyones funds back to the main chain, or make the coins inaccessible forever?

There are unlimited possibilities that depend on the details. If we don't have a paper that explains clearly how a Proof-of-Stake sidechain is somewhat superior, we can only do pointless speculation.

[stwenhao]

they need to move an existing asset into a weaker form of security

They usually have "weaker form of security" only because people don't know how to implement Merged Mining correctly (see: NameCoin). There should be one source of the Proof of Work, and each sidechain should commit to that, so users will first get everything sidechain-confirmed, and then Bitcoin-confirmed. After the latter, it is as strong and as resistant to chain reorganizations as Bitcoin itself. And again, Proof of Work can be replaced by Proof of Stake inside the sidechain, without affecting the mainchain consensus at all. Also, sidechains can be created and destroyed at will, it is just a matter of signing the right transaction, to deposit funds into the sidechain, and to take them back, just by moving them on the mainchain. Now I know that any testnet or signet can be easily deployed in that way, and I am trying to think about mainnet, and to deploy some test networks, just to show how it works.

In the case of a PoS sidechain the security will be based on how much capital is inside it, let’s say it starts out with 200.000 € worth of Bitcoin locked inside. It would be easy for any whale, to take control over the network in the beginning.

It is not that easy to take control, because things will be committed on-chain, and after that, it will be very hard for any whale to overwrite that.

can an attacker who controls majority of the capital send everyones funds back to the main chain, or make the coins inaccessible forever?

Users are protected from stealing in the same way as in LN: there are penalty transactions. Also, they are automatically broadcasted, without any watchtower, because revealing any previous transaction will allow unlocking the penalty transaction and broadcast it on-chain. All nodes observe both the mainchain and the sidechain, any malicious action of some wealthy sidechain wallet will be noticed by the sidechain network, and all honest nodes will react immediately, by broadcasting penalty transactions to the mainchain.

Isnt the whole promise of sidechains, we’re used less, so we can offer services more cheaply? But this incentive to even use them falls apart once they gain traction, because then they face the same problems as the main chain. In terms of scalability, decentralization and security.

If sidechains are done in the right way, then they have one nice property, that is not possible on the mainchain: it is possible to prune the history, as it gets confirmed on the mainchain. Coins are created by signing mainnet coins, and then they are destroyed, when mainnet coins are moved. That means, the sidechain history can be regularly pruned, when it gets confirmed on the mainchain. In this way, if the sidechain will be too big, then people can always move them directly, from one sidechain to another, a single mainchain transaction can clear the old sidechain history, and move everything to the new, fresh sidechain. And users can decide, if they want it or not, because they have to do it explicitly, by signing transactions. Imagine a Bitcoin, where you could download only the UTXO set, the Proof of Work headers, some recent blocks, and then the Initial Blockchain Download would take, I don't know, 10 GB? Maybe 20 GB? Only sidechains has such properties, because the mainchain has no upper layer.

Sure, staking is cheaper and easier for validators, but if the task is providing security and consensus, and this method cant do it, then how was the task solved?

It just makes it two-steps and fills the gap between zero and one confirmation.
Without my system: you have zero confirmations with full RBF, so anything can be always replaced, at any time.
With my system: you still have zero confirmations, but you can pay validators to sign your transaction, so the chance for it being unconfirmed forever is much lower.

You can’t have higher fees or the side chain won’t get used.

Fees will be automatically regulated by the network itself, as it is in Bitcoin. There will be just some market fee.

If the side chain has more throughput and thus make the average transaction cheaper, it will suffer the centralization problems, the main chain is trying to avoid.

You can worry about "centralization problems" in LN, they are exactly the same as in my proposal.

How will they get more coins?

Users will pass their coins to the validators explicitly, just like in LN.

How isn’t PoS more and more concentration of wealth at the top, automatically built-in, no work required?

Again, LN has the same problem, my proposal won't make it any worse than that.

Lightning is completely different it’s competitive and takes skill and planning to run successfully, it doesn’t work on the premise to give people more fees, sure the highest capital nodes can get more fees, but there can still be competition from smaller nodes, because most people won’t be needing to send high amounts everyday.

The same will be here. Also, note that mining should be decentralized, that means each validator should validate its own set of transactions, and their efforts should be then combined, to create a superblock for the whole network.

It actually helps the main chain, instead of being in competition with it, both balance each other out.

My proposal also helps the main chain, for example by taking some traffic outside of it, and then posting a batched state of the sidechain every sometimes.

Edit:

The Lightning Network doesn't; you can't double-sign transactions.

The same in my network: it will be rejected in the same way as double spends are rejected. Unless it will have a higher fee, then full RBF kicks in, exactly in the same way as it is on the main network. But after getting at least one sidechain confirmation, it will be very hard to do, in the same way as it is hard to do one-block-reorg on the main chain.

This just doesn't sound right.

Why not? Users should have a choice. If they can sell their bitcoins, and buy some useless altcoins, then why not provide them a different choice: just sign the same coins, but instead of selling them, get some sidechain coins, of the same amount in satoshis, and use new features as you wanted. Why not go that way? That proposal could be used to get rid of altcoins, which create new coins out of thin air. They should all be based on Bitcoin, there should be always no more than 21 million coins, some of them should fly on the mainchain, and the rest should be moved inside LN, sidechains, or different (not known yet) networks.

Therefore doing the work and staking will always be more profitable than staking alone.

Well, so miners will mine and stake. It is still better than mining alone, it is just the first step to convince them into staking. If they will stake, then they can see the benefits of staking, and later, if they decide to turn off their machines for any reason (for example because the endlessly growing difficulty will force them to do so), they can focus on staking, instead of leaving the crypto altogether.

If we don't have a paper that explains clearly how a Proof-of-Stake sidechain is somewhat superior, we can only do pointless speculation.

Keep calm, I'm working on it. Meanwhile, I can answer some questions and make my proposal harder to stop, based on your responses. I don't want to share something that could be easily destroyed by me, or by some regular people from forums. So, this discussion is definitely helpful to speed up the whole process, and I appreciate it. It is like in artificial intelligence: the smarter you are, the faster and the better your model can be trained.

Edit: You wanted more details, so here we go. Let's assume there is Alice, sending coins to Bob. And there is some Zack that wants to validate it. How it should be done? For example in this way:

Code:

+---------------------------------------------------------+
| ZackOne 1.00 BTC                    -> ZackTwo 1.01 BTC |
| SIGHASH_SINGLE|SIGHASH_ANYONECANPAY                     |
+---------------------------------------------------------+

That means, Zack is going to sign something, for a 0.01 BTC fee, and wants to put 1.00 BTC at stake. By using such sighashes, Zack can attach this single input and single output into any transaction that will pay him. Then, let's assume that Alice wants to send some coins to Bob:

Code:

+-----------------------------------------------------+
| Alice 0.51 BTC                      -> Bob 0.50 BTC |
| SIGHASH_SINGLE|SIGHASH_ANYONECANPAY                 |
+-----------------------------------------------------+

Guess what, both parts can be combined into a single transaction, that will have zero on-chain fee:

Code:

+--------------------------------------+
| ZackOne 1.00 BTC -> ZackTwo 1.01 BTC |
| Alice 0.51 BTC      Bob 0.50 BTC     |
+--------------------------------------+

That means, on-chain miners can of course mine it, but then they will get nothing. And imagine using some smaller fee than on-chain, so many sidechain transactions will be combined, and they will later reach the minimal on-chain fee, so they could be then broadcasted, as a single, huge, batched transaction. Impressive, isn't it? Also, sidechain can optimize things even more, by storing transactions in encrypted form (by using Homomorphic Encryption), then Pedersen Commitments can be used to manipulate encrypted transactions, that could be later decrypted and broadcasted to the mainchain. There are endless possibilities, I don't know what users will invent, I am trying to just provide the base standardized layer for that.

[tadamichi]

There are unlimited possibilities that depend on the details. If we don't have a paper that explains clearly how a Proof-of-Stake sidechain is somewhat superior, we can only do pointless speculation.

True.

[…]

Now the concept sounds much more sound. I’ll wait for the proposal to be here, so you have the time to work the details out. Good luck. This could have potential.

[stwenhao]

More sidechain demonstration: the normal 1 sat/vB fee means 110 bytes per each P2WPKH-P2WPKH pair. Here, each user can pay 105 satoshis per entry, and the validator pays only 85 satoshis for validating all of that, and for enforcing that on-chain. It is trustless, it is based on SIGHASH_SINGLE|SIGHASH_ANYONECANPAY, and it allows reaching lower fees. Those low-fee transactions are broadcasted only on a sidechain, where they are collected, grabbed by some validator, and then that validator can be paid by getting a discount on its own transaction, it is a reward for the whole batching effort. In practice, that validator could earn even more by batching A->B and B->C sidechain transactions into A->C mainchain transaction. But this example shows, what is possible here and now, with no protocol changes, more sidechain features are ongoing.

Code:

decoderawtransaction 020000000001056d55d01776f9b17c9fb5fb2a0f058ab7e6c41e53ae8664c3168e66715f57222f0600000000fdffffff6d55d01776f9b17c9fb5fb2a0f058ab7e6c41e53ae8664c3168e66715f57222f0700000000fdffffff6d55d01776f9b17c9fb5fb2a0f058ab7e6c41e53ae8664c3168e66715f57222f0800000000fdffffff6d55d01776f9b17c9fb5fb2a0f058ab7e6c41e53ae8664c3168e66715f57222f0900000000fdffffff6d55d01776f9b17c9fb5fb2a0f058ab7e6c41e53ae8664c3168e66715f57222f0a00000000fdffffff05ef1a00000000000016001431758f3a879e6f5de7c360930690090c98bfc19fd71e0000000000001600140e4d33832a5cf1f55f11ff26c7b36b902dafa605bf22000000000000160014267ce5c5540119ccae615291ed82358bcc7289a5a7260000000000001600143df04c045d3ed284bf45b8c6e89fa127bb09bc1aa32a0000000000001600143c84a28cf58857ab84ffd3b97695bfcf0eea9d3802473044022075742ae535f32ecb934344234a4cd858927e8cc3f6a49c538e9c5febdf0b51f802203d9cf9029d7fbe350adc7a14588b230351c60c4f7a22b639c154bb7ecf5315eb832103ac2c72443e7e2c84b9a18e9038f5681b64bc1039bf40b2ed02f9399a03571c5302473044022038f4a35ecd76650287eaf59964deeca18f9216aebf758278ac9d444a853b64240220036ab1d4695f8620ee33388c68164ecae783fdcac1612135e69ade164d981fa78321034fa5e72baea2e4dfff869203f24acd00b5513d10be34c4483550ea8bec88a1e80247304402202b25ae58837e44c4e8a85aa62d93f197553e53d47b0de946ed66600b7d6ed14a02202152b8691386e4e2d535435ee2f0c73bc13116a7aa5f61e873a198da1cdbf31b832102e488eaa75fca4db098764f0ec8496805d2bd947d3c2e81a45009389fc6117ab70247304402204a7402e66380d60e9dc1b675cc8210ecf3254cacd0085f69e6297bd5cc2afde40220050563ce08bfbd5d3bcb04bb05c7076fa7afaadf483a906053c2475507ee4a6a832103596f696ec7cb352e72042d76f2e166c932f8d4f229ea495a5b659a74357f0cd60247304402206c939a48b5da4233afc896e60dce055ed66b56890ee7aafa75b7cecb9b88570302206f6a4e26a0a28f82f413f0bc77caaeabef9d13eb5750472f85ddff1d2ce0970c83210358d6ce36da9453b7e90d63c0d34cbb587d0bd2fc7090504e3c49074ff5a7629400000000
{
  "txid": "07168e032760422e31c98642a2ee8013d7da4902485c002761baa2808a8f7eef",
  "hash": "c2b56a74cde6750711b34c7700e5bd0476eaeb95313387f7bec68369ed776de2",
  "version": 2,
  "size": 907,
  "vsize": 505,
  "weight": 2017,
  "locktime": 0,
  "vin": [
    {
      "txid": "2f22575f71668e16c36486ae531ec4e6b78a050f2afbb59f7cb1f97617d0556d",
      "vout": 6,
      "scriptSig": {
        "asm": "",
        "hex": ""
      },
      "txinwitness": [
        "3044022075742ae535f32ecb934344234a4cd858927e8cc3f6a49c538e9c5febdf0b51f802203d9cf9029d7fbe350adc7a14588b230351c60c4f7a22b639c154bb7ecf5315eb83",
        "03ac2c72443e7e2c84b9a18e9038f5681b64bc1039bf40b2ed02f9399a03571c53"
      ],
      "sequence": 4294967293
    },
    {
      "txid": "2f22575f71668e16c36486ae531ec4e6b78a050f2afbb59f7cb1f97617d0556d",
      "vout": 7,
      "scriptSig": {
        "asm": "",
        "hex": ""
      },
      "txinwitness": [
        "3044022038f4a35ecd76650287eaf59964deeca18f9216aebf758278ac9d444a853b64240220036ab1d4695f8620ee33388c68164ecae783fdcac1612135e69ade164d981fa783",
        "034fa5e72baea2e4dfff869203f24acd00b5513d10be34c4483550ea8bec88a1e8"
      ],
      "sequence": 4294967293
    },
    {
      "txid": "2f22575f71668e16c36486ae531ec4e6b78a050f2afbb59f7cb1f97617d0556d",
      "vout": 8,
      "scriptSig": {
        "asm": "",
        "hex": ""
      },
      "txinwitness": [
        "304402202b25ae58837e44c4e8a85aa62d93f197553e53d47b0de946ed66600b7d6ed14a02202152b8691386e4e2d535435ee2f0c73bc13116a7aa5f61e873a198da1cdbf31b83",
        "02e488eaa75fca4db098764f0ec8496805d2bd947d3c2e81a45009389fc6117ab7"
      ],
      "sequence": 4294967293
    },
    {
      "txid": "2f22575f71668e16c36486ae531ec4e6b78a050f2afbb59f7cb1f97617d0556d",
      "vout": 9,
      "scriptSig": {
        "asm": "",
        "hex": ""
      },
      "txinwitness": [
        "304402204a7402e66380d60e9dc1b675cc8210ecf3254cacd0085f69e6297bd5cc2afde40220050563ce08bfbd5d3bcb04bb05c7076fa7afaadf483a906053c2475507ee4a6a83",
        "03596f696ec7cb352e72042d76f2e166c932f8d4f229ea495a5b659a74357f0cd6"
      ],
      "sequence": 4294967293
    },
    {
      "txid": "2f22575f71668e16c36486ae531ec4e6b78a050f2afbb59f7cb1f97617d0556d",
      "vout": 10,
      "scriptSig": {
        "asm": "",
        "hex": ""
      },
      "txinwitness": [
        "304402206c939a48b5da4233afc896e60dce055ed66b56890ee7aafa75b7cecb9b88570302206f6a4e26a0a28f82f413f0bc77caaeabef9d13eb5750472f85ddff1d2ce0970c83",
        "0358d6ce36da9453b7e90d63c0d34cbb587d0bd2fc7090504e3c49074ff5a76294"
      ],
      "sequence": 4294967293
    }
  ],
  "vout": [
    {
      "value": 0.00006895,
      "n": 0,
      "scriptPubKey": {
        "asm": "0 31758f3a879e6f5de7c360930690090c98bfc19f",
        "desc": "addr(tb1qx96c7w58neh4me7rvzfsdyqfpjvtlsvlpu3jk7)#qn2vdxzt",
        "hex": "001431758f3a879e6f5de7c360930690090c98bfc19f",
        "address": "tb1qx96c7w58neh4me7rvzfsdyqfpjvtlsvlpu3jk7",
        "type": "witness_v0_keyhash"
      }
    },
    {
      "value": 0.00007895,
      "n": 1,
      "scriptPubKey": {
        "asm": "0 0e4d33832a5cf1f55f11ff26c7b36b902dafa605",
        "desc": "addr(tb1qpexn8qe2tncl2hc3lunv0vmtjqk6lfs94hcxg9)#4rxkuxgt",
        "hex": "00140e4d33832a5cf1f55f11ff26c7b36b902dafa605",
        "address": "tb1qpexn8qe2tncl2hc3lunv0vmtjqk6lfs94hcxg9",
        "type": "witness_v0_keyhash"
      }
    },
    {
      "value": 0.00008895,
      "n": 2,
      "scriptPubKey": {
        "asm": "0 267ce5c5540119ccae615291ed82358bcc7289a5",
        "desc": "addr(tb1qye7wt325qyvuetnp22g7mq3430x89zd9cx6w0l)#kx5lg7qc",
        "hex": "0014267ce5c5540119ccae615291ed82358bcc7289a5",
        "address": "tb1qye7wt325qyvuetnp22g7mq3430x89zd9cx6w0l",
        "type": "witness_v0_keyhash"
      }
    },
    {
      "value": 0.00009895,
      "n": 3,
      "scriptPubKey": {
        "asm": "0 3df04c045d3ed284bf45b8c6e89fa127bb09bc1a",
        "desc": "addr(tb1q8hcycpza8mfgf069hrrw38apy7asn0q6r0pn60)#l5an66k2",
        "hex": "00143df04c045d3ed284bf45b8c6e89fa127bb09bc1a",
        "address": "tb1q8hcycpza8mfgf069hrrw38apy7asn0q6r0pn60",
        "type": "witness_v0_keyhash"
      }
    },
    {
      "value": 0.00010915,
      "n": 4,
      "scriptPubKey": {
        "asm": "0 3c84a28cf58857ab84ffd3b97695bfcf0eea9d38",
        "desc": "addr(tb1q8jz29r843pt6hp8l6wuhd9dleu8w48fchm2v7q)#0s7jv64g",
        "hex": "00143c84a28cf58857ab84ffd3b97695bfcf0eea9d38",
        "address": "tb1q8jz29r843pt6hp8l6wuhd9dleu8w48fchm2v7q",
        "type": "witness_v0_keyhash"
      }
    }
  ]
}

Edit: There is a validator that earned 97 satoshis, and provided Taproot validation, where users paid 105 satoshis, instead of 112. See transaction: 99459ff5ce058067ed87b99f326305768444068a5659dce5ea5f126bfd4b0bda.

[NotATether]

Bump...

I'm adding info from this thread to bitcoincleanup, so it's important that I clearly understand what is being talked about here.

In both PoS and PoW, if the miners as a whole act badly, they will lose their investment. However, with PoW, the underlying coin will survive. This is an important distinction. If a large PoS miner were to successfully act badly, they could potentially enter into derraritive contracts to offset the coin they have "locked up" that is mining. This removes the requirement for a PoS miner to actually invest in their "mining" operation. OTOH, a PoW miner cannot easily hedge their investment if they intend to act badly while mining.

Can you elaborate how exactly such an attack could be carried out, from A to Z?

[BrotherCreamy]

The only thing I can contribute to this thread is the following question (for PoSers):

How does PoS support chain splits?

The ability to fork the chain is fundamental for resilience.

Without this, you might as well just have an Excel spreadsheet on somebody's laptop IMO.

To my understanding, in a PoS chain, both forks of a chain retain the staking balances on both sides, and it would only make sense for the stakers to validate the same blocks on both chains.
This would end with two chains with the same parameters, which defeats the point of a split.

In a PoW chain, whenever a chain split occurs, miners have to pick which fork to continue mining on, so you would be left with two competing chains of different parameters, of which one would eventually win out as the coins on one chain slowly devalue relative to the other as people sell their coins on one chain to buy coins on the other (as it should be).

Am I wrong? Is there some mechanism by which PoS supports chain splits in a robust way?

[NotATether]

Am I wrong? Is there some mechanism by which PoS supports chain splits in a robust way?

While I certainly do not count as a PoS'er by any definition of the term, the simple answer to your question is, bare PoS doesn't have such a mechanism.

There is financial incentive to mine on both chains, which leads to double-spend attacks and all that.

Ethereum has a financial deterrent in that you lose you stake if you try to submit a bad block, but there is actually no criteria deployed to the network yet to judge what is a bad block.

[BlackHatCoiner]

To my understanding, in a PoS chain, both forks of a chain retain the staking balances on both sides, and it would only make sense for the stakers to validate the same blocks on both chains.

Sure, but can't the same apply on Proof-of-Work too? Say that the chain splits to old-Bitcoin and new-Bitcoin that supports merged-mining. Miners that mine the old chain can use redundant hashes to mine for the new chain, with the exact same hash rate. All that's needed for new-Bitcoin is to prove you've worked for it. It'll be essentially a sidechain, but with no dependence on the mainchain.

I don't see how Proof-of-Stake defeats the point of split. It's not the miners/stakers who define the value of the coins, but the users. If a split occurs, there might be new money created, but the product remains the same. Market value of 1 BTC is just split to 1-old-BTC and 1-new-BTC.

[n0nce]

To my understanding, in a PoS chain, both forks of a chain retain the staking balances on both sides, and it would only make sense for the stakers to validate the same blocks on both chains.

Sure, but can't the same apply on Proof-of-Work too? Say that the chain splits to old-Bitcoin and new-Bitcoin that supports merged-mining. Miners that mine the old chain can use redundant hashes to mine for the new chain, with the exact same hash rate. All that's needed for new-Bitcoin is to prove you've worked for it. It'll be essentially a sidechain, but with no dependence on the mainchain.

I don't see how Proof-of-Stake defeats the point of split. It's not the miners/stakers who define the value of the coins, but the users. If a split occurs, there might be new money created, but the product remains the same. Market value of 1 BTC is just split to 1-old-BTC and 1-new-BTC.

I don't think there ever was a Fork-BTC that was designed to be able to be mined merged with the original BTC. This seems like a very constructed example.
So, while in PoW model this seems like a constructed, rare exception, in PoS this is the default. You can 'mine' / validate on both chains by default, while in PoW you must decide where you point your miners and what chain you burn your electricity on.

[pooya87]

To my understanding, in a PoS chain, both forks of a chain retain the staking balances on both sides, and it would only make sense for the stakers to validate the same blocks on both chains.

Sure, but can't the same apply on Proof-of-Work too? Say that the chain splits to old-Bitcoin and new-Bitcoin that supports merged-mining. Miners that mine the old chain can use redundant hashes to mine for the new chain, with the exact same hash rate. All that's needed for new-Bitcoin is to prove you've worked for it. It'll be essentially a sidechain, but with no dependence on the mainchain.

The difference is that there is still "work" being done on both chains, even the merged mined coin is being mined and it could actually have increased difficulty for it to no longer work as a merged mined coin.
In the PoS case, there is no actual "work" being done, and it is trivial for the staker to benefit from both chains at virtually no cost.

[oryhp]

I tried to explain some of the differences in PoW/PoS here https://phyro.github.io/nakamoto/. It doesn't go into theory or touches subjects like coin distribution. It focuses more on the difference in how a new block is added. Let me know if I got some things wrong.

[BrotherCreamy]

Sure, but can't the same apply on Proof-of-Work too? Say that the chain splits to old-Bitcoin and new-Bitcoin that supports merged-mining. Miners that mine the old chain can use redundant hashes to mine for the new chain, with the exact same hash rate. All that's needed for new-Bitcoin is to prove you've worked for it. It'll be essentially a sidechain, but with no dependence on the mainchain.

I don't see how Proof-of-Stake defeats the point of split. It's not the miners/stakers who define the value of the coins, but the users. If a split occurs, there might be new money created, but the product remains the same. Market value of 1 BTC is just split to 1-old-BTC and 1-new-BTC.

But the chains become independent once they split. The hashes would be different for different blocks, so you'd either have to choose to point your miners at the new or the old chain.
The miners that believe they can make more out of the new chain would point their miners at the new chain, and miners who think they can make more out of the old chain would stay on the old chain.
The new chain would have different consensus parameters, which could not be subverted without significant cost to the miners who wish to subvert it.

Under PoS, this is not the case.
Since the staked amount persists on both tails, stakers could just stake the same way on both tails, and subvert the new chain, and its consensus parameters would end up being the same as the old chain.

[n0nce]

Sure, but can't the same apply on Proof-of-Work too? Say that the chain splits to old-Bitcoin and new-Bitcoin that supports merged-mining. Miners that mine the old chain can use redundant hashes to mine for the new chain, with the exact same hash rate. All that's needed for new-Bitcoin is to prove you've worked for it. It'll be essentially a sidechain, but with no dependence on the mainchain.

I don't see how Proof-of-Stake defeats the point of split. It's not the miners/stakers who define the value of the coins, but the users. If a split occurs, there might be new money created, but the product remains the same. Market value of 1 BTC is just split to 1-old-BTC and 1-new-BTC.

But the chains become independent once they split. The hashes would be different for different blocks, so you'd either have to choose to point your miners at the new or the old chain.

Except in his (in my opinion) very constructed example where the new chain doesn't require its own mining, but is merged-mineable with the main chain.

The miners that believe they can make more out of the new chain would point their miners at the new chain, and miners who think they can make more out of the old chain would stay on the old chain.
The new chain would have different consensus parameters, which could not be subverted without significant cost to the miners who wish to subvert it.

Under PoS, this is not the case.
Since the staked amount persists on both tails, stakers could just stake the same way on both tails, and subvert the new chain, and its consensus parameters would end up being the same as the old chain.

That's exactly correct. That's one of the aspects that (asterisk asterisk except in niche constructions / exceptions) makes PoW so different and so much stronger than PoS. In PoS, the 'investment' (miner / stake) is within the system and that's a problem on a multitude of levels.

[BlackHatCoiner]

But the chains become independent once they split.

I now see it clearly. You're right. You can't use the same work to extend another chain, unless the new chain is dependent on the old chain, regardless of the configuration of the new chain. The new chain founders can either choose to completely disconnect it with the old chain, or make it based on it.

Forking the chain in the former fashion (e.g., Bitcoin Cash) in Proof-of-Stake does grant the validators the same benefits oppositely to Proof-of-Work, indeed. That being said, you could say that Proof-of-Work makes splitting / forking less desirable.

[n0nce]

But the chains become independent once they split.

I now see it clearly. You're right. You can't use the same work to extend another chain, unless the new chain is dependent on the old chain, regardless of the configuration of the new chain. The new chain founders can either choose to completely disconnect it with the old chain, or make it based on it.

Exactly, and imagine the credibility of a 'fork team' who on one hand is trying to sell their fork as the 'new Bitcoin' that will 'replace it' (flippening), while at the same time being based (thus reliant) on the real BTC blockchain through merged mining. Nobody would take them seriously.
There is a binary decision which chain to mine, that doesn't exist in PoS.

That's also why there is a (trivial) binary decision which chain is longer in an unintentional chain split; meanwhile in Ethereum someone will need to decide which chain is 'longer', as the validators will just validate both sides of the split. Will it be based on a Tweet by Vitalik? I don't know. Doesn't inspire much confidence.

Forking the chain in the former fashion (e.g., Bitcoin Cash) in Proof-of-Stake does grant the validators the same benefits oppositely to Proof-of-Work, indeed. That being said, you could say that Proof-of-Work makes splitting / forking less desirable.

On the other hand, making it harder to fork also gives security / stability to Bitcoin, and if someone were to try coming up with a real contender, the economics (miners switching or not) will show which chain / which coin is more popular and should be pursued. In other words; it would be easier to figure out the 'winner'.

I mean, imagine every miner who claims fork-coins magically being handed an ASIC (for each of the ASICs they own) for the fork chain. The thought is hilarious to me! But that is what happens in a PoS fork.