Regarding PoS, my view is that an attacker holding 4–12m ETH is moderately bad but not fatal. If the attacker uses their ETH to 51% attack Casper, then their security deposits get destroyed and we keep going. But the attacker could do more moderately bad stuff like the equivalents of selfish mining, degrading the quality of consensus, if they have 51% then doing frequent small-depth rollbacks, blocking ALL transactions if they’re feeling really evil (though Vlad has thought up of defenses by which if attackers block too many clearly legitimate transactions then the community will subjectively realize this and essentially clients will automatically coordinate to “fork” them off the network, but this still requires a large amount of study and research and may not be in Casper 1.0). Note that doing small-depth rollbacks too often will cause the attacker to lose their ether alongside all of the hapless legitimate validators that are in there with them, but over the course of perhaps a year rather than immediately. Also, 51% attacks have serious consequences to sharding that are less well-studied (though the consequences are probably less severe in some of my newer forms of sharding where the sharding is in some sense less explicit).