I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.
But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!
What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.
PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.
At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.
Why would Doctor Evil attack a block chain network when he could attack global/national/regional credit card/wire transfer/ACH networks, many of which are built upon ancient pre-Internet technology, are full of discoverable vulnerabilities and critical points-of-failure, and are operated by cash-rish financial institutions with liquid, easy-to-short stocks?
Now, if you think such an attack is an important problem for block chains, then you must also think it is an important problem for all legacy transaction networks. Yet we're all comfortable using our credit cards and bank accounts every day, and for virtually all practical purposes, we don't worry about a "Doctor Evil scenario." Why should we think and behave differently for block chain networks?
Moreover, as I wrote before, in practice, legacy transaction networks (like, say, regional VISA networks run by 100-year-old banks) are easier and cheaper to attack. If the Doctor Evil scenario were a real threat, it would be more profitable for him to target one of the legacy networks!
Fundamentally, if there are off-chain incentives to destroy the value of a given blockchain, much of our reasoning about the game theory doesn’t hold up.
If you attack the blockchain, well ... uh ... the owners will ... be really unhappy with you?
Realistically you're only in trouble for doing that if you're pissing off someone else with "the means to violence". If you screw up money laundering operations for a cartel, then what you're likely looking at is acts of violence between two criminal organizations, but if one of them has the upper hand, they can basically act with impunity.
When you're looking at the "small fry" – individual people with their own bitcoin/whatever stakes? They're just fucked. It's true if someone steals your wallet, but it's also true if someone torpedoes the whole system. That's the cardinal problem with all of these blockchain technologies — by deliberately designing the whole thing to disintermediate the authorities; they accomplished exactly that: there are no authorities to deal with systemic problems.
This irrational fear of short selling is such a modern midwit view. There is way more value to fraud on the upside then there is on the downside, and we see that everyday.
What kind of short-selling? For naked short selling I quickly found evidence: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=273488 That's the predecessor of a paper cited from 2003 SEC testimony of Robert J. Shapiro published at https://www.sec.gov/rules/proposed/s72303/rshapiro122403.htm..., which in turn may have been a related source for the Shapiro citation in a 2008 Time magazine article at https://web.archive.org/web/20080424032340/http://www.time.c..., which I found via the Wikipedia article on naked short selling at https://en.wikipedia.org/wiki/Naked_short_selling#Claimed_ef...
That first paper describes a scheme whereby investors bought convertible warrants, used naked short selling to drive the stock price down, then covered by exercising their warrants. And apparently in many cases, as documented by the paper, this resulted in a delisting or even bankruptcy of the targeted firms.
If it were legal to take a short position in a company and then take actions which blew the company up AND there existed cost-effective ways to do so, then you would definitely have seen more legitimate companies taken down by short-attacks. In contrast, here you have an entity where (a) there isn't the same legal safeguards and (b) there exists a claimed cost-effective way to tank the entity after taking a short position
If you disagree with (a) or (b) empirically then cool but it's clearly a totally different scenario to regular companies
Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.
> about 30-45 accounts _which had stake at that time
The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.
In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).
Warren Buffet buys up 70% of the network, induces a network partition, and then double spends it all, signing both transaction histories.
By the time he’s caught, he’s converted 2x the value of the POS network to POW bitcoins.
Replace “warren buffet” with “crypto exchanges selling bundled securities”, and the above is not just plausible, it’s inevitable.
The same scam has been run over and over again with conventional banks (who are inevitably bailed out on top of getting to take the money and run), POS just changes the nature of the obscure underlying financial instruments.
This risk can be mitigated:
1. The network should halt if a fork is detected. A fork with more than 66% of the stake behaving maliciously means a fundamental trust assumption of the network has been violated. Stop everything! Let humans figure out what is going on. I'm not saying every PoS system WILL halt under these circumstances, but as a countermeasure they SHOULD be designed to halt and value safety over partition resilience. Thus, an attacker forking a PoS must never allow parties to see either side of the fork. If a party notices a fork occurs, they will halt and can't be double spent against.
2. Following from 1, how do you prevent parties from communicating and discovering that a fork is occurring? Are you a tier-1 ISP and can control all internet traffic? You can defend against such attacks by making it very hard to hide the presence of a fork via redundant communication mechanisms. For instance the Bitcoin blockchain is broadcasted via satellite, a PoS blockchain could do that as well.
3. Additionally you can require that stakers lock their stake for long periods of time e.g., 6 months. This means that if an attacker wants to perform this attack and truly have nothing at stake they must cause a fork in the chain before the 6-months ago mark. Parties who are up to date with the latest chain are not vulnerable since they have already accepted the consensus history of chain. New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Yeah, but you're glossing over an important detail: It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today. In PoS, I need that, plus the miners of yesterday, plus the miners of a year ago, plus ..., in perpetuity.
> New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Right, maybe you can elaborate on this. Is checking block explorers a decentralized or trustless solution to, well, anything?
I don't quite get that. As far as I understand it the "nothing at stake" problem works by a malicious party inducing a fork, one of which they double-spend in.
Since it's in the best interest for everyone else to mine both forks, you can force your double-spend fork to become the longest chain by only validating the double-spend fork.
This means you have to trust that nobody part of your current chain has double-spent in this way. But isn't this the same as in PoW where you have to trust that nobody has launched a 51% attack to disrupt the network in the past?
Also, can't you just prevent people from mining all forks? I.e. for becoming a validator you have to deposit X as a security beforehand and you can only earn at most X via staking (so it is in the history before you can attack with nothing at stake). If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork. X goes to the person who found the fork, incentivising that the mallicious fork is identified on all forks (miners on competing forks are incentivised to look at all forks and quickly add the mallicious fork detection for their own benefit). If you want to retrieve your security and money earned, you have to announce this on all forks (you immediatly seize to be a validator). You are only allowed to retrieve the funds, if it is confirmed on all forks, or the forks are sufficiently behind the longest chain. This allows everybody ample time to look for dual-fork work and also incentivizes rapid solution of forks.
Yes, modern proof-of-stake algorithms work this way. The caveat is that at some point (on the order of months later) the security deposit is refunded, and at that point you can lie about the past without consequence. But this is a limited attack: you can only successfully lie to someone who has been offline since you were a staker, or else they would already have a record of the real successor chain (which now has a new set of stakers, who themselves still have their security deposit deposited).
Like, this is trivially solved with a central authority (e.g. have some trusted core developer every day publish a signed message saying "this is the real successor chain"), but it does enable that central authority to arbitrarily bless a fake ex-staker's fork.
Note that in Bitcoin you can have a fork in which both chains have equal length. The idea is that eventually the longest chain will be established, but if say 90% of the mining is malicious that malicious miner could ensure that most of the time both chains are of equal length.
With a PoS fork you can ask, which fork has the most amount of stake voting for it. An attacker that controls enough stake might be able to balance the total stake vote in the same way as a malicious miner could on Bitcoin.
In both cases if the core security assumption of the blockchain is violated, that blockchain should halt until that assumption is made sound again. If someone orphans the last two years of Bitcoin's blockchain something has gone horribly wrong. The fact that Bitcoin now switches to the longest chain doesn't actually address the problem that two years of transactions may have been rendered invalid.
What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
It sounds hard to manage this type of maintenance breaks in a trustless way. Surely consensus rule changes during outages should not be handled any differently than changes when under normal operations.
> clients could be programmed to have hardcoded 6th month checkpoints
Who signs these checkpoints? Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
We have a bunch of examples of this happening in practice. The humans are usually a mix of the developers, parties important to consensus (miners, stakers) and big ecosystem players.
> It sounds hard to manage this type of maintenance breaks in a trustless way.
When solving a problem that violates your core security assumption you are only longer in the world of security definitions. It doesn't really make sense to talk about "trustlessness". If the protocol is busted, you need to find a solution and get enough people on board with that solution that you can upgrade the protocol.
> Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
The checkpoints aren't trusted for safety but instead for availability. Instead you should think of them like alarms that "something has gone horribly horribly wrong, stop everything, don't transact, don't move, don't touch anything, pull the ebrake."
tl;dr Much like the fuse box in your house, my view is that checkpoints should turn safety failures (electrical fires) into availability failures (electricity is shut off).
Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef
Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.
It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.
These weaknesses weren’t due to consensus failures or protocol failures, but bugs in applications running on Ethereum. If Ethereum’s protocol allowed arbitrary funds to be stolen, that could certainly cause a loss of trust.
So two of the Bitcoin examples I gave was a consensus failure which already establishes the point, but lets do a very recent example from Ethereum:
A few months ago in August 2021 when Ethereum had a serious consensus failure and about three quarters of the clients in the network and some miners  forked off from the miners. How many people even noticed? 
> "Ethereum has weathered a bug that split the world’s most-used blockchain and opened up the risk of counterfeit Ether tokens." 
The issue at play is that the ability to cripple the consensus of a blockchain for the most part only impacts its availability not its security or the trust placed in that blockchain. Social consensus can just reset the bad transactions. If the theft or doublespend is big enough. We've seen that happen time and time again. They are somewhat robust but highly resilient.
Now it is possible that perhaps someone could perform an action that can not be so easily reset. For instance a huge doublespend where both parties receiving the funds are honest and have traded an object of extreme value for the doublespent funds. That is very hard to pull off. For instance how do you non-reversibly send something of that much value before the fork/doublespend/consensus bug is discovered? If you are moving something worth say 1 billion dollars in a single transaction you should probably be using an escrow service. Perhaps someone will invent a better technique for turning consensus failures into blockchain killers but so far I'm not aware of such a technique.
You said there were “enormous amounts of money stolen or destroyed” as a result of “ weaknesses in the [Ethereum] blockchain.”
The consensus issue where one client forked off isn’t evidence of that at all. Even the article you link to says it seems that the network was stable and the impact was minimal. Even in this particular attack, doing a double spend would be rather difficult.
Spend $X billion, then just bleed everyone without power. Sort of like what we do now.
It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.
Not when the protocol actively encourages decentralization by cutting off staking rewards to larger pools, like what Cardano does (as one example). Sure, the exchanges can (and probably do) run multiple pools, but so can anyone else, and for far less expense than is required for mining.
> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.
If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.
Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.
congrats, you've reinvented central banking and plutocracy.
You've outlined only one, the most obvious and least probable, mode of failure.
The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.
Perhaps that's OK for a private company governance, but for a global currency?
You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.
Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?
P.S. Also lobbying...
Proof of Work does not get you any votes at all.
PoW is a service to the network, to create an immutable ledger. It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
It's just a boring industrial business, like smelting aluminum or iron.
It's a system with an immutable monetary policy. Literally unprecedented in human history.
Is it though? It seems minor protocol tweaks aren't uncommon and hard forks managing to eclipse the original protocol in popularity are also conceivable.
Personally, I think people will value bitcoin as good money if fiat money fails. And because they are seeking good money, will value the fork(s) that preserve bitcoin's prior monetary policy.
A fork that changes the monetary policy drastically (particularly, changing the 21M cap) would obviously make for bad money in practical terms.
So literally the same as every monetary policy change involving every currency that didn't use PoW in history...
This has happened multiple times with attempted hard forks of Bitcoin which have failed because once you change the monetary policy once, the promise of hard money effect disappears. So the original monetary policy remains in place and the original network continues as the reigning champion.
If this happens I can technically stay on the original protocol, but that would be rather pointless if a sufficient majority abandons it.
The only real problem with that is that with a small hash rate, bitcoin can be attacked more easily.
If bitcoin is the monetary backbone for many nations, they will subsidize miners to maintain the balance of power. That is the actual scenario that I'm optimistically predicting.
If bitcoin isn't the monetary backbone for many nations, by then, then it's probably a failure, and should probably be allowed to die.
It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
I have to admit that I have no idea how much work is actually needed to secure the network. My point of view is that the current rate of energy expenditure outweighs whatever benefit Bitcoin does or could provide to society. But if this rate is a transient result of still-significant minting going on, things could definitely look different in the future.
Do you know of any analyses on how much work really has to be continuously expended in order for Bitcoin to remain reasonably secure at a given market capitalization?
Each nation would love to be able to manipulate the supply itself—why not, if people will let you get away with it?—but the fact that other nations can't do the same could be seen as a feature.
If Bitcoin does eventually become a common instrument of trade at this level it will fill the same niche currently occupied by gold and other precious metals.
Still plenty of scaling left in the Bitcoin ecosystem.
Presumably if the price went down by a substantial chunk and stayed down for a while, the hashpower would also decrease, and so the difficulty would also decrease.
Also, if electricity prices went up, or if CO2 emissions were taxed, then hashpower would decrease, and the difficulty would go down in turn.
As for the rest... so what? It uses a lot of electricity and there is some pollution---but a lot of bitcoin mining is done with hydro or geothermal (and will be nuclear if bitcoin continues to grow), so, so what about some pollution?
So there's a simple question: how much value do we get out of this tech per CO2e it emits and per ton of e-waste it creates. And AFAICT the answer is: not enough to keep tolerating it in a time where humanity as a whole is seriously worried about climate change for the first time ever.
If you can magically move _all_ the miners to sites with excess renewable electricity and permanently slash the hash rate by 99.9% then maybe it can be tolerated. Until then I would welcome more China-style crackdowns on mining activity across the world.
If you aren't upset about this, you probably haven't studied it. I say that in a spirit of helpfulness. Fiat money grossly distorts all of humanity's economic output and therefore retards our progress on all things, including fixing climate problems. Just one example: The US is becoming a nation of renters because enormous funds are buying up the houses with fiat money they borrow nearly for free.
Fortunately, with bitcoin, we can do something about that, without (eventually) harming the environment.
Mining doesn’t use a fixed amount of energy. As it becomes more economical more people will mine.
Niagara Falls is not what I had in mind. There is lots of untapped hydro power in extremely remote parts Canada where nobody lives, for example.
If we do not bound the growth of PoW energy usage, I think it could easily destroy itself in a roundabout way: by destroying the fragile global order that keeps humanity going.
Hardly unprecedented, considering that until very recently nations did not have a monetary policy.
You get compensated for your service, it may seem like a lottery, but if you do it for a long enough time, you'll get fairly steady returns as in theory it should be random and proportional to your hashrate.
I don't mine, and I think it's definitely overhyped at the moment, but maybe it will settle in the future and actually provide a useful service to us folk. It doesn't seem to be going away for now, and it is really easy to send money to friends and family, whether they're nextdoor or in another country.
The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
You don't think those get very wasteful in the real world? And there's no equivalent to a real war situation. You can set it up so you don't need to defend against the equivalent of enemy armies.
> The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
What kind of sustainable?
When miners locate next to hydro, and buy it up, that doesn't help anything. That hydro could have been sold as somewhat less cheap power elsewhere, after going over long wires, and then it would have reduced the load on coal plants.
Miners that eat up excess solar can theoretically do a lot to encourage the installation of solar, but they need to be happy letting their machines be turned off a large fraction of the time. If it's still profitable to run 20 hours a day, then they're still encouraging fossil power plants.
> Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
Dishwashers are better than hand-washing, aren't they? Having plates is a lot more important than running cryptocurrencies in a particular way.
If heated swimming pools use that much, then sure let's go after that and use some kind of billing or taxes so they pay extra and encourage sustainable power sources.
It is of course not 100% perfect analogy, nothing is, but I believe you understood the point I tried to get across: it's a security service, and that costs money. Blackwater stationary guard roles are 180-220k a year for someone with years of experience. I'd imagine monetary networks use a lot of physical security, some central banks are literally located in bunkers under mountains, with a backup site in a similar setup on a different geological plate.
I have not seen any PoS schemes so far that provide anything other than plutocracy as a service. There is a reason why ETH with a 100mil R&D budget is still on PoW, Vitalik is not a dummy.
as for the cheap sources of sustainable energy, those are usually stranded hydro and wind that's too remote to be economic, and stranded natgas (for natgas "green" might be a better term, i've used sustainable in the sense that CH4 is far more damaging that CO2. I've been told by regulators it is actually better to burn off CH4 from stranded wells)
Balancing of the grid also does happen, but I believe primarily with wind and hydro.
I, of course, agree that we should not pollute the Earth we live on. High energy usage in itself is not bad, only if it's a harmful polluter. I've only pointed out dishwashers and pools (don't have the stats handy, but they do indeed use a lot more, like a magnitude more), as a common hypocrisy.
We must rapidly scale up non-polluting energy sources, as it seems unlikely humanity can become a spacefaring species on a self-imposed tight energy budget, and this self-imposed handicap coupled with an unexpected asteroid impact can end us.
It's also hard to see how push button Armageddon has possibly made us more safe than nobody having nukes. We are only more safe than if only our enemies had them. The same could even be said of armies.
Or they need batteries. Or some other means of energy storage, for that matter; at the scale of a large mining farm, thermal (e.g. heating water) or kinetic (e.g. spinning a flywheel) might be practical.
Do you have an source for this? I remember the same number being flaunted before but it turned out not to be true. What was true was that 70%+ of miners use any amount of renewables in their energy mix.
Do you have some source for this? I see random numbers being thrown around a lot, would be nice to have a citation for yours.
Armies have to practice. Smart generals don't let their armies do nothing; to be any good at warfighting, they have to fight wars. Effective standing armies have to constantly be finding new wars to fight.
When attacking a neighbor state costs more (because your neighbors have arms too), it’s less likely to happen.
The cold war had plenty of awful hot action with proxies and third parties but the entirely hot version obviously would have been far more calamitous.
I suggest reading Herodotus’ Histories, or you can read up on Genghis Khan, Napoleon, Hitler, Alexander, the Crusades, or the myriad other conquerors and conflicts that have occurred.
If you work with software development - which you probably do - I'd suggest checking what you do for a living, how much energy it consumes and how much physical product it generates.
Just as an aside, when you move a newspaper or a magazine from print to only existing as a web page, you certainly have 'dematerialized' it to a degree. However you still need hardware to keep and display the data and energy to move it around and light up the screens. In so far it does not stop being physical. The 'intangible' is somewhat of a red herring. Yes, it is less haptic, but it's still physics, physical all the way down. Other than that, currencies, freedom, equality, education, entertainment—we've been having intangibles all the time, at least from the dawn of human culture onward. Cryptomining does not bring anything genuinely new to the table in this respect. It's not even new in being a fraudulent, volatile scheme that betrays traits of a cult, one that benefits a few and hurts the many.
Or some AI because humans are prone to bribery to some extent.
Or we could make it democratic. "Jeff Bezos asserts that he provided useful work for society and that he therefore deserves $1B this year. Please cast your votes".
The problems start, of course, when you take a concept to its logical extreme.
The trick is to enforce it in such a way that it can't be easily dodged via e.g. offshoring.
PoS staking is simply committing a portion of your capital to the task of validating transactions. You benefit by receiving a reward in the form of additional tokens.
In a PoW system, the same exact thing can be accomplished by using your tokens to purchase a stake in a mining pool. You will similarly be unable to access your capital, be rewarded with additional tokens, and at the end of a period of your choice, you can liquidate your position in the mining pool to reclaim your tokens.
 PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
In this world, the "nothing at stake" problem also manifests in proof of work, where I believe ownership in the mining pool makes you agnostic to the outcome of any chain splits - although I'm still working this bit through in my head. Opinions welcome!
Sounds wrong. Slashing is a means to prevent people from staking on multiple chains. In PoW, computing power is scarce, so if you allocate some compute time to one chain then you have less of it on another chain. You automatically get slashed. The difficulty in designing a PoS chain is in artificially re-creating this slashing and thereby solving the "nothing at stake" problem.
The splitting is unavoidable and happens constantly. Multiple competing future states are constantly being created, and the network has to eventually arrive at a consensus about which possible future is the true one.
> Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?
Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS. Your question reads to me like "In trying to solve problem x, why don't you assume that you've already solved problem x, and use that to solve problem x."
Maybe I'm missing something... if miners are required to send the tokens to an invalid address, are these tokens not lost irrevocably?
This has a clear answer in PoW, but not in your scheme
An equivalent attack wouldn't work on a PoW chain. If you do the equivalent of "staking" on chain 2, then you're computing hashes, which is costing real-life resources. In the PoS case, without slashing, staking on chain 2 is free. In fact, this is the rational move to make every time you spend a token; stake on competing chains to get your token back.
There was a PoS mechanism that makes people who cheat lose all their coins? I wonder if it is relevant here
... Aha, that's "slashing" -- the other members in the network would look at the two chains, and notice that you were misbehaving, and add transactions that remove parts of your coins? (They'd add to both chains? Or just the winning one?)
Within protocol, no. But when weighing a fork, those with the gold choose the rules.
So probably more than 1 guy. maybe 5-10.
BTC is also getting smart contracts soon, which makes ETH redudant as well, but it will take a while before it catches up in terms of possible complexity of the contracts.
It's probably not renewable (well, neither is the Sun on large enough timescale), but do you believe nuclear, either fission or fusion, will play a large role in the future?
> Do you consider nuclear energy sustainable?
Low-carbon, yes. Sustainable, yes. Renewable, not until we productionize extraction of uranium from seawater. 
> ... but do you believe nuclear, either fission or fusion, will play a large role in the future?
Fusion if we can crack it, totally. Seems like a clear winner. Fission probably will if there's some political will behind it, but not unless there's a change in sentiment.
> of which the following sources are considered to be renewable
in other words, it attempts to define the world "renewable" along favoured political ideologies.
> Advances in breeder reactor technology could allow the current reserves of uranium to provide power for humanity for billions of years, thus making nuclear power a sustainable energy
TL;DR: nuclear is just as renewable as solar (beyond any likely duration of the human civilisation).
Status quo will be incredibly difficult to overcome for attackrs, even with a large chunk of industry, exchanges, miners and whales against the status quo, it prevailed.
Hmm, maybe I’m ignorant, but in practice, don’t miners (socially, not technically) have substantial say in issues like the block size debate?
If you want to create a hard fork of the chain for any reason, whether people accept your fork as legitimate will in part reflect the total hashing power of that forked chain, right? So in practice what miners choose to follow will have a big impact.
Maybe not quite the same as PoS in-chain voting, but it still seems to give large miners outsized power, no?
Changing the hashing algo isn’t a realistic punishment for targeting misbehaving miners.
You end up with two choices:
1. Change to an algorithm that uses gpu/cpu instead of ASICs (and is ASIC-resistant), but then your algo runs on general-purpose computing and you can’t fork miners off ever again.
2. Move to another algo that benefits from ASICs. This has the extra overhead that you need to spin up manufacturing and distribution of these ASCIs to honest miners, which takes quite a long time to do and while you’re waiting, your network is being attacked.
In either case, you aren’t just punishing a misbehaving miner, you’re punishing *all* miners who now all need to get funding to buy and rack new hardware. You’re making a big assumption that the misbehaving miner won’t be able to get financing or sufficient capital while the honest ones will. If the dishonest miner’s attack was profitable while waiting for the fork, they get to keep all of that money and can spend it on new hardware.
In PoS, the attacker will lose their stake, meaning they lose the money they had before, and earned as a result of, the attack. It may be much more difficult for that validator to get access to capital and lenders will be hesitant to lend to an entity that now has a history of burning capital.
You mean Proof of Work algorithm. Which is not quite the same as hashing function .
...just re-using the terms for continuity and simplicity sake.
yes, a PoW algo is probably better generic term, although I am not confident complex algos would be accepted as first-line replacements by the wider community.
am I wrong in that assessment?
You're right that Bitcoin will never accept a change of PoW. At least not until SHA256 shows signs of being broken.
It only buys you the right to append a block of transactions to the ledger, which is the same thing as having 100% of the votes.
The leader can even opt to put no transactions in the current block, something that has actually happened on many occasions: https://www.theblockcrypto.com/post/67928/bitcoin-miners-are.... Obviously, the leader was making a decision here, there were not actually zero transactions to process :)
No, there is no voting and there is no leader election. Miners construct blocks with transactions and if they manage to find a signature - that block is appended to the chain. If somebody does it faster - they append their block.
Please at least get the basics before you start arguing with people.
I know far more about Bitcoin than I ever wanted to, believe me. You really should not be making these kinds of ad hominem arguments when you don't understand terms like "consensus" or "leader election."
No, the hash that you win with, deterministically points to the only possible block that you can “propose”. Your understanding is completely backwards. You seriously don’t know how bitcoin works.
Here is my question to you: if the node that wins the election (and the ones that accept its mined block, of course) is not the one voting on which transactions get to go into the chain, rather than be stuck in the mempool somewhere, who is? Do you genuinely think there is no decision being made there?
There is no "voting" and no "leader" except in the most abstract sense and I'm not sure why you're so determined to use those terms.
All miners “vote” by hashing and one of them wins. They don’t win because somebody voted for them, they win because they happened to find a satisfactory hash. The chance to win that hash faster than other miners is proportional to hashrate. The hash is determined by the block of transactions entirely, so once you win the race, you don’t get to propose anything other than that one predetermined block.
Which transactions go into a block is decided before any mining for that transaction happens.
Just read, please.
You're coming off worse in this argument because you seem to realize on some level they're just using different (possibly wrong) terms in their accurate description of the mechanisms, but then you keep making snide remarks that imply they don't understand the mechanisms.
I think your analogy to flat earth was better. Because sure, treating the earth as flat isn't correct, but it's often a perfectly good approximation, and arguing about whether a big field is flat or not is a giant waste of time. Don't completely dismiss someone because they use those terms.
"Leader" or not, it's basically equivalent. And the process of letting miners input yes/no values for whether they support a proposal into their block, averaged over thousands of blocks, gives you the same result as "voting". So talk about whether those results are useful.
Every 10 minutes a miner wins the right to append a block to the chain, by guessing a secret number. The chances of winning are proportional to the amount of money each miner has expended in the process of guessing the secret number. This is equivalent to holding a vote every 10 minutes in order to choose who gets to append the transaction block. Therefore, you're wrong. There's a vote. And if you can't understand this obvious fact about bitcoin, you have no business discussing bitcoin.
As I said in a sibling thread, it’s like arguing the earth is flat by proposing a very special metric of space. Feel free of course, I just don’t accept it.
Yes, they do get to choose the block. Transactions to include in the block are (usually) chosen from the mempool, which is unique per node (it’s similar but never exactly the same between any two nodes). Miners can also choose to include transactions that were never publicly broadcasted, and therefore never appeared in another mempool. Typically the transactions with highest fees are chosen, although fees can also be paid (or bumped) outside the mempool.
The miner of a block doesn’t get to choose the contents of every transaction, but they do choose which transactions to include when they win a block.
It seems like you’re hung up on terms that aren’t commonly used in the context of bitcoin mining, but are valid and are commonly used in the broader context of distributed systems.
Of course, they have a choice. If didn't, miners would serve no purpose. We would just have one block and that would be the block that would be appended. The consensus would be achieved automatically, without any need of guessing secret numbers.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
No, because the miner is elected at random. The crucial point to understand is that their chances of getting elected are proportional to the money they spent. That doesn't mean the largest miner will get elected 100% of the time.
lol, no they don't.
a certain hash wins, every ~10 minutes. that hash is calculated from sha(block, nonce), where nonce is the randomized part that miner mutates to get different hashes. once a hash that satisfies the protocol is found - that's it, you can't choose a different block to append to the chain.
it is just laughable that i have to explain this level of basics.
Maybe this article will help you understand just how nonessential the fact that the block is part of the SHA actually is: https://www.usenix.org/system/files/conference/nsdi16/nsdi16.... Please read the whole article, and then come back so we can have a discussion on equal footing.
well certainly not the winner of the "election", because by the time that "election" starts, the block is already constructed.
and i'm not going to read any of your links until you actually start understanding the basics of bitcoin protocol. though your lack of understanding explains perfectly why you fall for scammy bells and whistles of competing bitcoin-wannabes. "bitcoin new generation". lol, give me a break.
Again, I'll ask you, since you keep dodging the question: if the node elected as leader is (according to you) not choosing the block, who is choosing the block? Why are you so obsessed with whether the value was chosen "before" or "after" the election, which is an irrelevant detail of the protocol? If you can't answer these things and won't read the paper, I don't really see any reason to keep talking to you, because all you've done is make the same irrelevant point over and over.
1. once the "leader" is "elected"
2. do they have a choice of what block to append?
you said they do, which is fundamental lack of understanding of how bitcoin works.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain?
and the answer is yes, the miner that gets elected chooses which transactions to append to the chain. Do they pick the transactions after getting elected? No, they pick them before getting elected. In fact, it doesn't matter whether they pick the transactions before or after getting elected, because their chances of getting elected are unaffected by which transactions they picked. Therefore, it makes absolutely no difference. The fact that you think it makes a difference tells me you're very confused about the role miners have in the bitcoin network.
Maybe they act like all the other rational miners and optimize by mining fees.
Maybe they include no transactions and only take the miner reward.
Maybe they they don't like the Dutch so all their transactions are excluded.
It really doesn't matter as all y'all have been arguing over is what to call the
person who won the current round.
You really don’t see how this terminology is completely incoherent for this scenario?
A miner can choose which block to build on. At any given moment Bitcoin can have several competing "in progress" forks. This is why most exchanges require... 7, I think?... blocks on top of yours to consider the transaction more or less confirmed.
Yes, this is a 51% attack in Bitcoin. If you have a majority of votes, you can disregard the current chain, fork from behind, and catch up.
This is expanded upon in the peer-reviewed Bitcoin-NG paper that both of you are refusing to read, which breaks down the Bitcoin protocol into distinct parts (which was why I linked it--not because I am proposing that it replace the Bitcoin protocol, but because I thought it would be useful for you to understand how Bitcoin performs leader election already). Specifically, it analyzes the effects of splitting up leader election and block commit parts of the protocol. As it turns out, it has essentially no effect on Bitcoin's security guarantees, which is not surprising--because the fact that block selection and leader election happen at the same time is an implementation detail that doesn't actually matter! Once you realize this detail that you are obsessing over (the block being decided at the same time the leader is) is not important for the protocol, you will also see that the leader election is in fact the critical part.
Nodes decide if they will append your block to their chain.
A miner that decides to mine out of consensus blocks is just burning money, and will be on their own fork with their “100% votes” that nobody else uses.
Give it a try, spend a few million on mining equipment and then try forcing something on the network.
It’s not a democratic system, never was.
The proposed block must comply with the rules your node enforced, or it will not be accepted. It’s not just work, but also the entire consensus-set they must abide by.
Miners cannot force new rules, if there is no consensus.
If 51% of miners decide to, after block #N, not include any transaction that doesn't satisfy the predicate P in any block they produce, nor mine on any chain which has a block after block #N which has a transaction that doesn't satisfy predicate P, then the longest chain will have all the transactions after block #N be ones which satisfy P, and furthermore, if the other 49% of miners are aware that this is happening, if they want their blocks to be in the longest chain, they have incentive to follow the same rules when mining.
This is the logic behind soft forks, is it not?
With PoS, the coin creators can assign themselves an arbitrary fraction of the coins, concentrating the wealth. Even if there is a public record of all the funds raised in a public sale and all expenditures made (which is rarely the case), it's possible for the creators to participate in the public sale and recover large parts of funds used to buy their own token by generous expenditures on software development and such.
There are plenty of PoW coins with unfair or absurd distributions, and plenty of PoS coins with somewhat equitable distributions.
In my opinion a fixed block subsidy would be most equitable, but that's a very slow emission, taking 100 years to reach a yearly supply inflation under 1%.
Who is the top researcher on this subject these days?
Anyway, I'd also be interested to know if there's existing or active research along these lines.
I don't see much difference between a PoW mining setup that does $1000/day gross, $990/day expense, $10/day profit and a PoS staking setup that does $12/day gross, $2/day expense, $10/day profit. Both earn $10/day, both require maintenance, and both are run not at a net cost but at a net profit.
Additionally mining isn’t always profitable. There is financial risk and miners can go bust and take financial risk. Staking is basically always profitable if you don’t misbehave.
It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.
If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.
You can't even fork a stablecoin. in case of a split in a PoS chain, the correct fork will be decided for you by USDC and Coinbase.
Unless we're going to pretend that there is only one way on and off networks and only in one currency denomination…
In practice the value of the forked collateral is likely to be low, leaving the stablecoins insolvent.
However, if you are only forking the vm and allowing for people de deploy other protocols (or forks of other protocols), this is not the case (they just start off at lower total supply relative to the native collateral available on that network from a lower demand base).
I think id agree for things like ZCash/Dash etc compared to BTC, but I'm not sure I'd agree when it comes to the all contracts deployed on all EVM networks and none of this has anything to do with decentralized stablecoins.
For example, you can mint MIM (a decentralized stablecoin) on both avalanche c-chain and ethereum (as well as polygon, fantom, bsc and arbitrum), and they are both worth $1, but have different collateral backing it on both networks. If users wanted to leave one or the other, they could just redeem their mim for the underlying, sell it and buy the collateral on another network and mint it on the other network. The collateral might trade lower on one network based on market factors (like if the narrative shifted to that the chain became too centralized or w/e, and this assumes that even the price movement of the underlying overwhelms the over collateralization ratio, it might not) but it would just mean that there would be more or less mim on that particular network as assets are liquidated and not that the MIM itself would be worth less.
If you want to use coinbase to buy crypto and tokens, that's on you.
And that's where competition between currencies provides checks and balances against such pathological behaviours.
I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?
What are some places I can go to see recent votes and their outcomes?
Actually in PoS if you try to attack and you don't have a majority you will lose all your coins. in PoW if you try to attack and somehow you miscalculated you will lose a couple of hours worth of electricity after which you can go back to mining normally so much lower stakes for an attack.
Ethereum Classic is the fork that refused to rewrite the blockchain to void the hack, and the linked tweet is VB affirming that he’s only working on the main (reneging) Ethereum fork (which goes by ETH), not Classic (goes by ETC).
Not sure why the parent linked that tweet, maybe Twitter just makes it too hard it identify what tweet you actually want.
The hard fork reversed those transactions.
No matter what fancy spin you put on it, that was absolutely a violation of the blockchain's integrity, as it violated the principle that accepted transactions can't be reversed after the fact, even if you call it an "irregular state-change" that just keeps things secure.
You can absolutely defend the position that this was best for the ETH ecosystem. But it was absolutely a reneging on the blockchain rules.
People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.
If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.
Somebody tell him about the r-family.
Just how it works.
Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.
In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.
Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.
The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.
It fairly describes every political system and economic system that has ever existed or will ever exist. What's being described is how humans always organize systems in regards to political and economic power.
See: Socialism, Communism, Fascism. It applies just the same to those. Except in those systems they'll murder you and your entire family, then burn your village/town to the ground, if you attempt to compete with the rulers or party (Chavez, Castro, Stalin, Lenin, Mao, Hitler, Mussolini, Pol Pot, Kim, Putin, Erdogan, Lukashenko, etc.).
Whereas I can freely compete with Coca Cola, Tesla, Salesforce, Splunk, DigitalOcean, Cloudflare, Starbucks, 3M and most other companies if I'm able to. Nobody is stopping me from inventing a new coffee drink and going after Starbucks with it, or setting up a better coffee chain on the corner. Nobody is stopping me from inventing a better soda-competing drink (see: Monster or Red Bull or 5hour Energy; those people weren't assassinated by the soda cartel). Nobody is preventing me from starting the next great convenience store (ask 7-11 how they feel about upcoming Sheetz; or ask KFC how they feel about Chic-fil-A).
Isn’t the whole point that by that time he would have withdrawn from the network so he would sink it without losing anything himself.
This 'long range attack' is different from a 50% attack because it doesn't affect nodes that were running before the attack happened. But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This seems more viable for a value destruction attack than for a double spend. But value destruction can be lucrative for blackmail. It means a coalition of stakers could withdraw their stakes and state "increases the blocksize or suffer a long-range attack".
This is an important point to consider, but it can be mitigated with exit delays. E.g. with Eth2's current settings, if an attacker had 2/3 stake at one point, I believe it would take them 6-7 months to exit all those validators. So while it's true that new entrants must sync from a trusted checkpoint, the checkpoint can be quite old.
Let's say my client has a hardcoded list of checkpoints, with a new one added once a month. The client would only accept forks containing all of those checkpoints in their history.
It seems like there are two ways an attacker with commit access might try to corrupt this checkpoint list. First, they could try to add bad checkpoints over a period of 6-7 months, until they've fully exited and can safely perform a long-fork attack. This seems impractical, since the bad checkpoints would be noticed by existing node operators (who would get stuck after upgrading their clients), and 6-7 months seems like plenty of time to raise the alarm.
Alternatively, an attacker could just delete 6+ good checkpoints, and replace them with 6+ bad ones, all at once. This would violate the convention of adding monthly checkpoints, so it should be easily recognized as a malicious change. One could argue that it might go unnoticed anyway, but sneaking in such a change seems roughly as hard as sneaking in any other clearly-malicious client change.
In PoW miners risk going bankrupt overnight for egregious behaviour like that.
I'd like to see how one defines "slashing" programmatically that is impartial, works algorithmically, and does not have edge cases that can lead to catastrophic failures without handwavy assumptions that every single PoS network has today.
But my understanding was that you can only have enough stake in the network to make decisions...by having that stake in the network. If you un-stake your crypto and cash out, by definition, you no longer have any stake in the network. If you no longer have any stake, how do you have a controlling stake?
Amazing breakthrough, realy. Now ddos blackmail can be actually measured in money.
At least you could point to avalanche or something else that's better constructed. Eth is a dinosaur at this point, albeit with the fattest treasury.
Not if he’s undetected and does it for years while extracting value at key points in time.
There are numerous people who could put up $50B with the ability to get very high returns.
It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.
Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.
It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.
I don't mean to be rude here, but none of what you have said refutes my point.
The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.
To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.
You can't do that with PoW without "additional" consensus rules, which is that slippery slope to PoS!
As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.
In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.
PoS is a scam and you should stop supporting it.
The problem eventually reduces to Ken Thompson's "Trusting Trust"  problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).
So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.
Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.
However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.
In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.
What if Bitcoin and Bitcoin cash had the exact same amount of hashing? Which is the true Bitcoin and why?
For other people: https://news.ycombinator.com/item?id=29367857
And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…
Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.
To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.
It's called "Eclipse Attack". But it's a threat for single nodes not for the network as a whole.
Indeed, but the same is true for attacks on "weak subjectivity" proof-of-stake. They're only a threat for nodes that have been disconnected for a long time (months) before they try to reconnect.
My understanding is that the attack you describe involves a cabal of "evil" validators signing some alternate chain (call it the "fake" chain) long after their stake is withdrawn, creating a fork in the distant past. Before they did this, they pretended to be good validators, which meant they signed the "real" chain's blocks and then signed the withdraw transaction. So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past). If this line of reasoning is correct, that suggests that anyone who is aware of both sets of signatures can identify the real chain?
I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
An eclipse attack is so named because it requires you to keep all the light out so they're kept in the dark. But here, since there's no internal mechanism to tell the two chains apart, you don't only need the accurate information, but also outside information about which one is accurate.
Where proof-of-work really does have an advantage is that you can more easily distinguish that scenario from the scenario where either one of the chains is actually a Sybil attack, i.e. a single attacker pretending to be a large number of people. Similarly, if you only see a single chain, with proof-of-work you can try to detect an eclipse attack (which implies a Sybil attack) by seeing if the hashrate has gone down dramatically.
That's a real advantage. I don't think it's even close to enough to mitigate proof of work's disadvantages, especially since the circumstances where it would practically come into play are extremely unlikely, but it's not nothing.
However, it's undermined by the fact that proof of work naturally encourages centralization. Bitcoin is centralized enough that it's not completely impossible for the vast majority of the hashrate to end up on one side of a fork (either soft or hard), while the vast majority of users and developers end up on the other side. (To be clear, this is very, very unlikely to actually happen, but so are all of the attacks we're talking about.) If this happens, the objective proof-of-work standard will side with the miners, but not with the people you actually want to transact with.
Of course, a proof of stake currency can also suffer a schism, but there is (probably) less tendency for stakers to be centralized, and if a schism did occur, at least the client wouldn't provide a false sense of objectivity.
Is it even true? Steemit had the exchanges do a hostile takeover, because everyone was staking through them.
I feel like you should be able to deduce it from the distribution of participation after the fork, right?
The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
But you don't know who's honest - you may as well be saying the real chain lost all the dishonest verifiers.
For each chain you'd be able to look at the age, stake & historical participation level of the post-fork participants and get a pretty good idea which (if either) of the chains is real. The absence of honest participants should look a lot different than the absence of dishonest ones.
Granted, this method is not nearly as simple as checking the number of 0s on a hash, but I would imagine it to be quite difficult to circumvent.
Which means that large stakeholders suddenly stop verifying blocks. Long-term active wallets stop transacting.
The same might be true for both chains after the fork, but I would imagine the fake one would have a larger change in participation (weighting older wallets and larger stakes) than the real one.
For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.
For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.
Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.
Bitcoin doesn't decide what is called bitcoin, we as a community do
But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.
Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?
I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".
But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.
On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?
Ok, sibling comment seems to suggest bitcoin has solved this problem differently: https://news.ycombinator.com/item?id=29368166
No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.
Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while
With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.
With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.
With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.
For transacting indeed you need to trust the various clients, but that's easy and can be done once. With the consensus isn't being tampered with, and, more importantly that others are using other types of rules.
Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...
You can literally validate the entire chain with a simple python script. Millions of those on github.
>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.
>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.
I challenge you to present a "simple python script" that implements the exact bitcoin consensus rules (as codified in bitcoin core). Bitcoin is not all that simple and there's a nontrivial amount of complexity in bitcoin script alone .
> The chain is validated in its entirety upon first sync. 100% from genesis to tip.
The default behavior is to skip signature verification for all signatures before some relatively recent block .
> Assuming ancestors of block %s have valid signatures.
when using -assumevalid. I agree it's imprecise, but it's not exactly wrong, since skipping scripts implies skipping signatures.
All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.
You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.
Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.
I’m not the parent, but – no, I don’t. But that’s exactly the point. The need to bootstrap from centralized authorities is what’s supposedly so bad about weak subjectivity in proof-of-stake. Yet in practice, it’s needed with proof-of-work as well.
Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
Also, you're not just connected to those bootstrapping nodes: you use them to find the rest of the peers in the network.
I characterized this as relying on centralized authorities (albeit several of them), but sure, it can also be considered decentralized to some extent.
The point is that it's a mechanism outside of the proof-of-work network itself. Instead of relying on a machine to reach consensus via a formal protocol, you the human are probing for a social consensus by evaluating statements made by other humans (via GitHub, public forums, or private chats, or just talking to people in person).
In both proof-of-work and proof-of-stake, you need to find social consensus in order to initially obtain the software, after which point you can rely on the network's consensus.
The difference with proof-of-stake is that you have to redo this if you disconnect from the network for months on end.
In practice, for a variety of reasons, practically all users of cryptocurrencies download regular software updates, and thus continue to rely on social consensus, regardless of whether the currency is proof-of-work or proof-of-stake.
1. X is a problem?
2. But Y is also a problem, in my opinion.
3. X and Y are both the same, I think.
4. Therefore X is not a problem.
We can - theoretically - verify the correctness of PoW software by downloading the source code, reading it over, etc. We can also refuse to update, reducing ourselves to SPV security. We can internally verify the checkpoints using 100% objective standards. There are other things as well. This is not the case for PoS, where our "signature A existed at time B" has to be taken as faith, or evidence of things unseen. There is no internal way to verify the veracity of such a statement.
The fact that users aren't personally doing this, is not the same as saying it makes no difference whether they are able to or not. I'm not personally going to withdraw all the money in my bank account - that would be ridiculous - but if the bank informed me I was no longer able to withdraw the money in my account, that would not be suitable at all. The assurance that I can do it makes it so that I don't have to.
It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Granted, I only have to trust that a single bootstrap node from the list will faithfully connect me to the honest network. But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
Also, granted, if I pick bad bootstrap nodes, I can still detect if I'm being eclipsed by looking at the hash rate. But how do I know what hash rate to expect? I could check n websites with hash rate charts, but that brings us back to 1-of-n trust.
> 4. Therefore X is not a problem.
IMO it's a manageable problem. Users just need to be cognisant of these trust assumptions they're relying on, and be thoughtful about picking semi-trusted peers (whether bootstrap nodes or checkpoint providers).
Right, but it's not about trust in the same way. I can add an infinite list of bootstrap nodes. Quantity matters, not quality.
> But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
"Very similar," not the same. You need "semi-trusted sources", and there's no objective standard in case they disagree.
Satoshi tried to convince us that we could decentralise trust by doing honest work instead of relying on authority. It turns out that doing work is actually pretty hard, people are lazy, and security is still the nemesis of efficiency.
In IPv4 a client might have a chance at auto-discovering peers.
It's also not necessary to rely on a single centralized authority. There are many things (DNS, Encyclopedias, Linux kernel mirrors, etc.) where the majority of existing centralized authorities agree with each other.
What part of DNS do you feel is possible without a centralized authority?
It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.
If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.
It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.
Except the people you bought something real-world from, once they figure out that their "tipcoin" is worthless. So now it's a question of convincing some people that your technobabble is valid enough. How hard is that?
You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.
I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.
also, hi, long time! maksym here =)
You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked
Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.
Soft forks don't force you to download and run new clients just to be able to use the network, which is an important difference. You can use your existing client, you just don't have the new features and don't run validations on them.
The greatest risk on soft forks is that chain split you mention. That's why any reasonable soft fork deployment requires a long time window with a large majority of hashrate signaling support (like 95%).
In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.