Proof-of-Stake Is Always Flawed

I hope readers found the links in my blog to my Medium posts where I explained the many flaws in the designs that are being planned and contemplated for proof-of-stake (code named Casper) and scaling for Ethereum.

And hope readers visited all the links in my above blog to details about the flaws in the delegated proof-of-stake (DPoS) which powers EOS, STEEM, and other blockchains.

Proof-of-Approval

Additionally I have explained the extant weakness in the proposed Proof-of-Approval variant proof-of-stake consensus system.

I wrote on Medium:

Hello Shunsai Takahashi.

As you know in your bitcointalk.org thread, @‍monsterer2, others, and I discussed some vulnerabilities in your Proof-of-Approval (PoA) consensus system. Specifically I pointed out that in plausible reality there’s not 100% finality because due to the requirement for 50+% of the stake to always be online that PoA analogous to all proof-of-stake systems really only function because they’re run by a 50+% oligarchy. Proof-of-stake does not function well without an oligarchy in control. Thus the 50+% attack is the norm, not the exception. Normally the oligarchy in control is benevolent in terms of double-spending and extracts their rents via other schemes. Some typical figures I’ve seen cited for stake participation are at most 30% of the stake. The implication of this is that the table in your blog which compares your PoA system to Nakamoto proof-of-work seems disingenuous in light of all the details as I explained. Although the end-game of proof-of-work is apparently also an oligarchy. Perhaps your table’s comparison to Ouroboros was at the time of writing this message correct to claim PoA’s advantage of one (1) block transaction confirmation finality compared to Ouroboros’ 100s of blocks because Ouroboros (in the non-delegated mode) also has the same vulnerability of requiring 50+% of the stake to always be online. I need to study Ouroboros more carefully in the future, which I may do for the upcoming Part 3 of my recent blog.

Paul explained that PoA also is vulnerable to the typical nothing-at-stake (NaS aka N@S) flaw which plagues all proof-of-stake systems. The NaS attack only applies to a 50+% attack. The problem is that although Nakamoto proof-of-work is also vulnerable to a 50+% attack, unlike NaS there’s an ongoing cost to attack proof-of-work. In theory it’s plausible to recover the costs of a rented hashrate attack by double-spending, but in practice no one thinks that is very realistic on Bitcoin with its tremendous systemic hashrate. And proof-of-work is permissionless yet proof-of-stake is not.

If we could argue that 50% of the stake is difficult for an attacker to obtain and if the slot and epoch slashing (of conflicting approvals) didn’t have the boundary ambiguity problem, then AFAICT the NaS issue would be somewhat mitigated. But unfortunately, I don’t think 50% of stake is difficult for an attacker to obtain and anyway the presumption that 100% of the stake will always be live is unrealistic.