Re: Proof that Proof of Stake is either extremely vulnerable or totally centralised
Well, let's have an example (with a "chain trust" based coin):
You're staking with 21 UTXOs of 1% each and 1 UTXO of 30% of the total staking capacity each (51% total).
You want to trick an exchange, double spending some coins, and need a fake chain of 21 blocks.
Now you double-spend. Then you privately mint the 21 blocks with the relatively small 1% stakes.
Block 22 is crucial, because there you must trick the other nodes into a re-org. So for block 22, you use the 30% stake, to boost chain trust. Now you publish the fake chain. The 30% stake now gets "dormant", but after the fake chain was published, you don't need any stakes to be "live" because you already tricked the other nodes to use your fake chain.
You have a high probability that your chain becomes the longest chain (with most chain-trust) then, because the accumulated stake in the fake chain is exactly 51% and the rest of the nodes only can accumulate 49% on the "honest chain", because they also are affected by the "dormant stake" rule.
If not (there is a certain probability for it), you can repeat the attack after all the "dormant" periods have expired. There is zero cost for that. There is a high probability that you eventually will succeed.
You're staking with 21 UTXOs of 1% each and 1 UTXO of 30% of the total staking capacity each (51% total).
You want to trick an exchange, double spending some coins, and need a fake chain of 21 blocks.
Now you double-spend. Then you privately mint the 21 blocks with the relatively small 1% stakes.
Block 22 is crucial, because there you must trick the other nodes into a re-org. So for block 22, you use the 30% stake, to boost chain trust. Now you publish the fake chain. The 30% stake now gets "dormant", but after the fake chain was published, you don't need any stakes to be "live" because you already tricked the other nodes to use your fake chain.
You have a high probability that your chain becomes the longest chain (with most chain-trust) then, because the accumulated stake in the fake chain is exactly 51% and the rest of the nodes only can accumulate 49% on the "honest chain", because they also are affected by the "dormant stake" rule.
If not (there is a certain probability for it), you can repeat the attack after all the "dormant" periods have expired. There is zero cost for that. There is a high probability that you eventually will succeed.
Good, now you see the dormant period.
And the Attacker has to wait for the dormant period to elapse,
but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt. (Depend on the coins specs, some have unlimited coin age, some limit it to between a max 20 to 90 day weight.)
Which as you surmised, he can attempt a double spend again at the optimal time.
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.
So that negates the transactions censorship danger from PoS 51% attacks that is almost certain with PoW 51% attacks.
So for PoS the only real threat is the double spend, which can be blocked by increasing the required transactions confirmations or to be 100% certain waiting until the confirmation # exceeds the rolling checkpoint blocking all reorgs.
To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)
PoW coins could do the same as rolling checkpoints are a easy way to block reorgs while staying decentralized.
However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.
* Another reason Proof of Stake is a superior consensus method to Proof of Work. *
