Proof-of-stake is fundamentally flawed.https://download.wpsoftware.net/bitcoin/pos.pdfProof-of-stake is frequently proposed as a mechanism for distributed consensus in non-Bitcoin cryp-
tocurrencies (altcoins). However, this idea appears to be fundamentally flawed. We explore the
history and motivation leading to Bitcoins distributed consensus mechanism, which evades a im-
possibility result, and demonstrate that proof of stake does not work as a replacement.
...
Now, we have a consensus history and an attacker who is able to fork it at some early time.
To actually replace the entire consensus history, he needs to produce an alternate history,
starting from his fork, which is longer than the existing history. But every block needs a
new random selection of signers, so is this possible? The answer is absolutely yes: we have
been using this word random, but in fact we have required consensus on the set of signers
(otherwise forks would trivially happen), so even a random selection must be seeded from
past consensus history
...
Further, this ability to control the future selection of stakeholders (and even the
set of stake-holders, by controlling which transactions appear in blocks) has serious consequences. This
is because even without a deliberate attacker, the signers who extend the history at every point
have an incentive to direct the history toward one in which they have more stake (and there-
fore more reward), which causes the system to trend toward centralization. They may do this
by skewing the stake selection of future blocks, or more insidiously by censoring transactions
which (may eventually) increase the set of stakeholders.
Isn't that what I wrote in 2013...Cross-posting from the following linked post:
https://bitcointalk.org/index.php?topic=558316.msg6501774#msg6501774
It is time to squash Proof-of-Stake once and for all. It can
NEVER remain decentralized...
The other attacks you describe all derive from the fundamental reason I declared all non-proof-of-work systems to be insecure back in April.
My logic was mathematically fundamental. The input entropy set is quite deterministic and well known and thus can be preimaged. For example, accumulating a lot of coin-days-destroyed and then targeting them in clever ways to subvert the security.
...
(In any non-Proof-of-Work design, ) It is mathematically impossible for there to be external consensus trust of the honest chain if the dishonest chain is controlled by more than 51% of the peers. We've covered some of the scenarios upthread, and it always boils down to that the external viewers can not know who to trust except by trusting the majority of peers.
The only mathematical way around this is to centralize the network, by placing more trust in some peers than others over time.
Indeed long-term reputation is a mathematically viable alternative to Proof-of-Work. This is centralization...
Notwithstanding the above, any non-Proof-of-Work system can be attacked with much less than 51% of the peers, due to the fact that the input entropy is preimageable, as I explained upthread. Again the only way to work around this is to trust some established peers to guard against this.
...
The fundamental math problem with using any metric from the block chain (or any consensus voting such as proof-of-stake) is that it can be gamed deterministically unlike proof-of-work which is a randomized process, i.e. the input entropy is not orthogonally unbounded as it is in the randomization of proof-of-work.