> This statement is misleading, because he is really only talking about what a 51% attacker could do to the very last blocks in the blockchain.

No, I’m talking about what a 51% attacker can do to *any* block in the blockchain. The great majority of costs of mining are capital costs, not operating costs; last time I did the math the ratio was something like 3:1. So if an attacker has the capital to do one attack on six blocks, they are 75% of the way to being able to do attacks on years of history.

> After the multi-billion mining equipment acquisition costs, the cost of running the Bitcoin network for 200 days would be over $700 million (7.5 TWh at 10 cents/KWh).

Ok, seems like we agree on the above ratio.

> there will always be a tug of war between attackers and defenders — no matter which security mechanism one uses. To speak of a cost/defense ratio of 1:1 is quite meaningless in my opinion.

How so? In order to have the $2b cost of attack, it was necessary for bitcoin miners to have burned substantially more than $2b worth of resources. That’s a 1:1 ratio (in fact, worse than 1:1), which is very meaningful. With PoS we can have a tug of war where the defenders have a 10:1 advantage, or better.

> Or the attacker can strategically target a huge amount of users, making sure to only inflict a small amount of financial damage per user — so that the cost per individual to rally against the attacker is higher than the loss incurred by the attack.

This is not feasible. You’re talking about a 4-month-long chain reversion here; there is no way to make that inflict only a “small amount of financial damage”. This is a consequence of the inherent “all-or-nothing” property of a blockchain.

> they often entirely disagree on how it should be dealt with

Sure, but in the case of a long range attack the way to deal with it is incredibly clear: follow the chain that showed up earlier, and not the chain that showed up later.

> Given that TheDAO bailout passed by supposed ‘community consensus’ even though less then 6% of Ether in circulation voted on the matter in a process of under 2 weeks, it seems risky to ‘offend’ the wrong people in the ETH community.

This has nothing to do with a discussion on proof of stake. It’s entirely possible to have a proof-of-stake based chain that opposes DAO-style hard forks.

> but what we can not count on is the idealistic concept of social consensus.

Then how do you know what software to run when running a full node?

> To my knowledge, proof-of-stake has no equivalent applications in either human history or biology.

Government agencies use security deposits in various contexts all the time. Money transmitter and banking license surety bonds are one example. Bail bonds are another. The use of hostages in various forms of negotiation throughout history is a third.

> A PoW 51% attacker can significantly slow down the network, but even a single attempt to revert historical transactions requires a huge and long-running expense

A cost at best equal to, and in most real-world cases substantially less than, the cost paid by legitimate miners to create the blockchain. PoS can achieve a much more favorable ratio.

> SolidX’s Bob McElrath makes the point that the strategy of ‘economic punishment’ of attackers is moot if the punishment itself can be forked away.

Sure, though if a chain censors punishments, then *that chain* can once again be forked away, much like Bitcoin Core developers advocate changing the proof of work in response to 51% miner coalitions censoring everyone else’s blocks.

> Another criticism of bonded PoS, as recently voiced by BitTorrent creator Bram Cohen, is the question how one prevents honest stakers from being tricked into interacting with the network in a way that triggers the punishment that is supposed to protect them. (Think of it as the crypto equivalent of large scale swatting.)

This is not possible; a validator cannot lose their security deposit unless they violate one of a set of slashing conditions, and compliance with these conditions can be verified client-side.

Validators can also be penalized for appearing to be offline, but the algorithm is designed so that causing others to lose a large amount of money also requires the attacker to lose a similarly large amount of money. Note that proof of work also has this property, as 51% attacks can fork off other miners’ blocks arbitrarily, causing them to burn electricity mining but not receive any revenue — in fact, proof of work is worse in this regard because 51% coalitions can “grief” outsiders at a profit, whereas Casper only lets you grief at a cost.

> An alternative attack scenario, suggested by Galois Capital’s Kevin Zhou, is one where the attacker tricks enough honest people onto his network, so that it becomes these honest peoples interest to support the attacking chain as the true chain.

Except that if this attack succeeds at reverting finality, it still costs the attacker a really huge amount of money.