2014-11-22

Proof of Stake lacks a fail-safe

I've discussed my various doubts about the delegated Proof of Stake a few moths back. Thinking about it some more recently, I have one more idea to add to that discussion that applies both to Proof of Stake, and distributed PoS - the lack of a fail-safe.

People criticise Proof of Work for creating centralization. Bigger miners earn more money that they invest in faster mining equipment to earn even more money and so on until there is only one entity that essentially owns the network. Everyone fears centralization in Bitcoin as it can bring about the dreaded 51% attack. However, a lot of people, including myself aren't really worried about this. Andreas Antonopoulos explained it well during the Texas Bitcoin Conference - a 51% attack isn't much of a threat any more since we can always fork the software and make the current ASICs obsolete. Just like that, any mining operation that relies on those specialized chips have it in their best interest not to attempt to be a malicious entity - they have too much to lose. While a malicious "government entity" (or anyone that wants to destroy the network at a cost) would not case about the losses, it wouldn't be able to accomplish anything regardless.

Looking at Proof of Stake, the network essentially lacks this fail-safe. If an entity controls the majority of coins in the system, they can perform a 51% attack as well. To take the network back, either one would need to abandon the PoS mining algorithm, or erase the malicious entity out of existance. However, due to the pseudonymous nature of cryptocurrencies, the attacker in question can easily shuffle their coins to new addresses and spread them around so much they become essentially indistinguishable from anyone else in the network. Tweezing them out would be hard and a lot of other people might get removed by a false-positive. As such, the network that relies on Proof of Stake cannot purge itself from a malicious attacker, like a Proof of Work network could.

Of course, a non-malicious entity wouldn't want to perform a 51% attack on the network. The attack would evaporate any value their stake would have. However, a malicious "government entity" that wished to take down a PoS network would have a much easier time doing it, since forking them out of the ledger would be much harder.

4 comments:

  1. Respectfully, there is a simple mechanism that can provide a fail safe:

    Launching a chain with a new genesis block that does not include the malicious stake. Essentially a hard fork is required, and delegates/users will switch to use the chain that has forked out the stake that was voting for malicious delegates. It requires significantly less change than a POW change to bitcoin, as it is provable that the stake that gets "booted" was voting in a self-harming manner. Changing Bitcoin's POW will cause harm to all honest miners who have invested in SHA hashing hardware equally, in a scorched earth manner.

    Looking forward to your reply!

    ReplyDelete
  2. Since anyone can become a delegate on the network, it's essentially a throwaway identity that you build trust for. A malicious attacker can create a lot of them and most of them will appear harmless, drowned in the sea of other 101-delegates wannabes. You can then proceed to vote them up into the delegate pool, and once you do, other people will vote the same since those entities would appear trustworthy. You would hide that activity by voting on other delegates as well and spreading your stake over many accounts. Voting on 100 malicious delegates gets drowned out by voting on 900 other delegates as well. Add some social engineering by creating fake delegate profiles and encouraging people to vote for them. After that, the malicious attacker is virtually undistinguishable from other people on the network.

    Then perform the 51% attack, and in the ensuing panic prepare to switch identities to new delegates that would come in to champion against the attackers. If a fork happens, use that to your advantage to ruin the reputation of PoS by saying that "developers just want their own buddies in charge". Repeat the same attack a few times and the lie will sound more and more like the truth.

    Tweezing out the attacker is a problem, since you risk innocent people losing money. Since a lot of them would be casual people that don't know the risks, you are alienating a lot of people. Moreover, this discourages people to vote at all, undermining the network (you don't want to vote for the wrong person so you won't lose your money).

    ----

    Compare this to PoW. People mining are businesses that have to heavily invest in new technology all the time to keep up with their competitors. In case of a fork, they can write their losses off and proceed to buy new equipment to recoup their losses. They are not casual people that lost their money. Sure, a number of them would just leave after the fork, but people holding the coins wouldn't be more affected than in PoS (the currency loses value in both cases, but at least they keep their coins).

    ReplyDelete
  3. https://bitcointalk.org/index.php?topic=604716

    ReplyDelete
  4. Basically what you describe is the ability for an attacker to cause "collateral damage" if they can convince honest voters to support their malicious delegates and then the proposed fork revoking the stake supporting the malicious delegates. I do not contend that DPOS must always prevent all collateral damage to recognize that there are modes to defend against malicious delegates, but even if we wanted to be completely sure of all malicious voters, the maximum damage that an attacker could cause would be to inflate the supply (if they are patient enough to wait more than 2 weeks after delegates are voted in), temporary partial manipulation of the price feeds, and a temporary denial of service for transactions, with the latter two only making a meaningful effect on the network if they control more than 51 delegates (>8.75% stake).

    The social engineering aspects are general weaknesses of any voting-based system.

    Comparing to PoW: realistically any fork of bitcoin to remove SHA hashing would result in two bitcoin chains. Miners will not simply melt down their miners for scrap, they will mine on the longest POW chain and it will be a political matter to convince users to switch to the new consensus algorithm.

    Bottom line: DPOS provides a mechanism to fork out malicious stake, while POW leads to a game theory conclusion of either network death or increased investment to unseat the malicious miners.

    That said, I still support POW as a consensus algorithm because of the incentives to cooperate. I also support DPOS for the same reasons.

    ReplyDelete