Understanding Proof of Stake through it’s Flaws. Part 3— ‘Long Range Attacks’

Note: This is the final part in a series in which I investigate the major problems with Proof of Stake currencies in an attempt at gaining better understanding of them. See part 1 for an introduction to Proof of Stake and part 2 for a discussion of the ‘Nothing at Stake’ problem.

While PoS clients do penalize things like double-voting in the short-term, they can’t stop the individuals who were around for the beginning of the chain to revert all of the blockchain history and start a new, seemingly valid chain. In effect, every version of a blockchain that exists or has ever existed could be revived and run as its own chain, if the underlying protocol allows for it.

In Proof of Stake chains, in the early stages there will be a relatively small group of miners with coins staked. As more and more users join the chain and obtain the underlying asset, the pool of miners, i.e., the users who have staked coins, becomes larger. However, after the fact, the original, small group of miners can get together and decide to go back and ‘revive’ that early version of the chain, and since in the ensuing stages they would be the only ones who could mine blocks, they would soon hold a large share of the assets on that chain. And since there isn’t a limit on the growth-rate of Proof of Stake chains, only how long it takes each chosen miner to mine the next block, these chains can suddenly become extremely long.

Most clients, for example Casper and NXT, address this in a roundabout way, by requiring, in their protocols, that only blocks with a certain range of prior blocks (720 in NXT’s case) can be disputed, while the rest are a part of the “main chain”. However, this simply changes the scope of the problem. Under this protocol, nodes will have undefined behavior when they:

1. Come back online after more than the amount of time in the ‘window’ given by the client
2. Come online for the first time

These two cases lead to something called ‘Weak Subjectivity’.

Weak Subjectivity

“Weak subjectivity” is the notion that a node that comes online for the first time will have to ask a trusted source what the hash of the valid chain is. This completely undermines the trustless nature of blockchains, something many view as the ‘killer app’ of blockchain technology.
All proof of stake blockchains have this issue.

• Peercoin, for example, simply gets around it by broadcasting the hash of the “legitimate” chain on a daily basis.
• NXT simply ignores the problem, saying in their wiki that since clients automatically reject any changes more than 720 blocks in the past, they are not susceptible to long-range attacks. However, this simply means that they are confident that no sizable portion of the network will stake an attack before 720 blocks in the past. However, they do acknowledge the problem’s existence: “Due to the extremely low probability of any account taking control of the blockchain by generating its own chain of blocks, transactions are deemed safe once they are encoded into a block that is 10 blocks behind the current block height.”
• Vitalik acknowledges that CASPER will need to depend on trusted nodes to broadcast the correct block hash.

Trust was the whole reason bitcoin was created. The foundation of blockchain technology is that you can submit a transaction to the network and know that it will become a part of the ledger without having to depend on a trusted third party like a bank or government. And yet, the proponents of Proof of Stake all advocate once again trusting a third party in the name of fewer resources being used. This seems to compromise the foundations of blockchain as we know it.

However, in the proof of stake FAQ, Vitalik puts forward an argument why weak subjectivity is very unlikely to cause a blockchain to become compromised on its own:

“consider the kind of situation where weak subjectivity by itself would compromise a blockchain’s security. In such a world, powerful corporate or nation state actors would have the ability to somehow convince an entire community that block hash B was the block hash of block XXXYYY when most of them saw at the time and have stored in their own computers that the block hash of block XXXYYY was A, but for some reason such powerful actors would not have the ability to trick users into accepting a different location from where they download their client software.”

Conclusion

We’ve seen that Proof of Stake moves the ‘grounding’ of the blockchain from off-chain assets to on-chain ones, essentially setting mining costs to zero.

Regardless of how you feel about this change, I hope you can appreciate that cryptocurrency protocols all fundamentally work within a set of trade-offs. By removing the external costs to bitcoin mining, Proof of Stake warps the mining incentive structure and reduces the guarantees of having a single blockchain. There appears to be a clear trade-off between mining costs and the level of trust required of other participants in the blockchain.

It may be the case that if we want to curb the immense resource consumption of cryptocurrencies, we will have to once again trust each other instead of mathematical proofs.