Yes, and nobody needs that. One only needs ORDER, not "real world time proxies".
And how do you think you arrive at the order? Without reliable time-stamping, you don't and cant. It is the building block upon which all this is based.
Order is simply a consensus. It has not much to do with time. In fact, transactions don't even need to be time-ordered. If there are no double-spends, their order is automatic. I could give you all the individual transactions in the bitcoin block chain in a random order, and you could be able to put them in order again. They form a strictly ordered graph. They don't need any time stamp. They don't even need an indicated order, they order themselves.
The only thing one needs some "consensus state momentary pictures" is that one needs arbitration of double-spends. One needs to come to consensus over which of two spendings is going to be part of the "accepted truth". This doesn't even need to be the one with the earliest real-time stamp. It is a random decision, but that random decision needs to be part of a consensus. If there are no double spends, the consensus is automatic. If there are double spends, we need to come to a consensus of which one to retain as the 'real one'. It sounds like obvious that it should be the first in real time, but it doesn't have to.
It is only after this consensus is reached, that one can be certain about one's balance. Up until the moment of global consensus, when transactions are pending, there could be double spendings, and one cannot know which one will be part of the next consensus.
The consensus images need to be ordered concerning transaction graphs. They do not even need to be ordered between disjoint transaction subtrees. Of course, when sub trees mix, there needs to be a logical order between the last "unsynchronized consensus" on each sub tree, and the first one after the mix. In other words, the consensus pictures need to have a similar order than the ordered graph of transactions.
But that's all that is needed; order. Not "real world time". Of course, IF you tag real world time to transactions, you automatically get an ordering. And IF you tag real world time to consensus pictures, they are of course also automatically ordered. But it is not a necessary condition.
In proof of work, if you do slightly more work than the "good guys" (that is, the ensemble of miners that were working "honestly"), you won. It is sufficient that you have proven, say, 50% more hashes than the "good guys" your chain will take over. With a digital signature, that is not "50% more", but 2^128 times more or so.
'Slightly more' work than the rest of the network is vastly more work than solving a single block.
It is slightly more work than was needed to make the piece of block chain you want to overdo. (and hey, you even get the new block rewards too). If I want to overdo 10 weeks of block chain, I'll need somewhat more proof of work than 10 weeks of block chain building. The question is in how much time I can do this. But the amount of *work* is not related to the RATE of my work. If I had the hardware to do 100 times the rate of work that is really spent on the block chain right now, I wouldn't need to spend much more actual WORK. I could do it in a day or so (10 weeks of block chain). In order to avoid this, one needs to make sure that nobody is accumulating hardware capacity without using it. Bitcoin is only protected if one can make sure nobody has a significant amount of unused hardware. If one has a huge pile of unused hardware, one can switch it on and outperform the existing system with not much more proof of work than was put into it.
So bitcoin's ultimate protection is not by proof of work, but by proof-of-non-existence-of-unused-hardware. See, the attack of piling up unused hardware is obvious in PoW.
They are only vulnerable to attacks from the inside, that is, from their owners, and then it depends exactly on the PoS scheme used. They cannot be attacked from the outside, from someone who doesn't have any stake in the system and never owned some stash. As to the exact attacks that are possible, that depends on the precise implementation of the PoS scheme.
If I pay 100% of staking, stake-owners to send a transaction to themselves at at precisely 12:00pm next monday, whichever chain I choose would be stalled forever. That's a fairly obvious external 'attack'.
That really depends on the PoS algorithm. It would be a stupid algorithm that doesn't allow staking. Normally, a good PoS algorithm ORDERS the staking candidates according to things like actual current stake, previous stakers, and pseudo-random numbers calculated from the previous accepted consensus, and extra weights for coin age and so on, and then gives priority to that staker that actually proposes a consensus and is highest on the list. So there is always a highest staker on the list of those that propose a consensus. All possible previous states should always accept a single valid staker amongst all proposed stakes.
PoW can even be attacked with all users offline, because the PoW stake holders have nothing to do with the coin. If tomorrow, the Chinese government confiscates most of the mining equipment, bitcoin is in the hands of the Chinese government. With a PoS coin, that's simply impossible.
Sorry, that's just plainly incorrect. If the chinese government confiscates all mining equipment in china, bitcoin blocks will slow down as the rest of the world gradually takes up the slack. On the other hand, if some force confiscates all the staking stake from a PoS chain, the chain is dead forever barring a hard fork.
I meant: the Chinese government confiscates all mining equipment to use it as an attack on bitcoin, not to stop it from running. As I said, there shouldn't be any staking stake. There's just proposed consensus solutions by those who stake, and a PoS algorithm, known to everyone, indicates, amongst the propositions, which one is the accepted winner. If there's only one proposition, obviously that single proposition wins.
You can say: hey but what happens if a higher-ordered staker propagates a past consensus decision then ? Well, if in the mean time, new consensus decisions arrived on top of the previously accepted one, it's done, he lost his chance to stake. As such of course, you can get divergent histories, but a good PoS algorithm also has a global branch preference, which is essentially a pseudo-random number. If you are, as a staker, confronted to two branches, you should stake on the one with the highest "global preference", even if you are to be a staker on the lower one. This is the solution to the "nothing at stake" problem: there should also be a pseudo-random cumulative weight of each branch: obviously one will win.
And finally, there shouldn't be any reward for staking. It should be a voluntary act. That would avoid people to want to disrupt the staking, just to get the rewards.