[jude-]

It's far easier to break a PoS chain -- you simply knock the coin-holding nodes offline. Knock enough offline, and you can no longer reach quorum. If offline nodes' coins get slashed in order to reach quorum and restart block production, and the system permits forking, then why would offline nodes rejoin the original fork? They're incentivized to only consider forks where they're not slashed. If the system does not permit forking, then the system breaks once the attackers (1) stake a nominal amount of coins, and (2) knock enough other nodes offline such that they are the majority staker.

[CuriousCosmic]

This isn't really an attack unique to Proof of Stake. If a node goes offline they can lose rewards or even in rare cases have their coins slashed to some extent but that isn't inherent to a Proof of Stake overall. A decent number of Proof of Stake systems instead place reward penalties on pools/nodes that go offline. The idea being that it is a penalty for not maintaining sufficient infrastructure while also not being so severe that it could be leveraged in such an attack.

Most PoS algorithms I've seen instead reserve stake slashing as a penalty for malicious behaviour. Going offline isn't by any means inherently malicious. There are however plenty of actively malicious actions that can be detected and reacted against. Often for the more severe penalties it will require some level of community involvement in the recovery stage to limit opportunities for abuse.

Additionally, it shouldn't be easy to take a block producer offline and Stake Pool(or node) Operators should be preparing for these types of attacks. I've been watching some of the work being done in the Cardano Stake Pool Operator community and the various SPO guilds have decently sophisticated architectures. "Nodes"/"Pools" are broken up into Relays, Producers, and sometimes additionally Key Generators. Key Generators produce the periodically expiring KES keys and pass them to the Producers on a schedule (to minimise potential attack surfaces). The Producers actually engage in the consensus using the keys provided by the key generators and communicate through the relays. The Relays handle the throughput and communication. This allows the producers (and by extension the key generators if used) to be largely shielded from the open net. This also allows producers and relays to have a certain amount of redundancy/failover. An architecture like that may cost more (and eat into rewards a bit more) however they are far more difficult to DDoS or compromise.

Since the barrier for the hardware is so low, a 1x2x2 or 1x2x3 (keygen x producer x relay) architecture can still be more than profitable (retaining 25% to 75% of the SPO rewards as profit). Additionally this has the advantage that various other income streams can be integrated in (state channel operation, compute nodes, storage nodes, etc) over time and the operation can be scaled up without compromising security or requiring a significant re-architecture.

Proof of Stake can be just as secure as Proof of Work but it requires that the incentives be structured properly and sufficiently hedged against potential risks.

[jude-]

Okay, so instead of knocking your nodes offline, the attacker only has to commandeer them for just long enough to commit a slashable offense. That's usually easier anyway.

This is fundamentally a double-edged sword -- the harsher your penalties are for bad behavior, the easier it is for someone to use a zero-day and kill your staking coins. But the laxer your penalties are, the more damage a buggy or malicious node can do with impunity.

Either way, the resilience of PoS comes down to the resilience of the majority of its staking nodes, because once you lose that, the system is dead. Once you control majority stake, it doesn't matter how many other offline coins exist -- you, as the majority staker, simply never mine their transactions.

This isn't true for PoW systems. A PoW system can always be brought back to life, even after an arbitrarily long amount of inactivity, and even if all the previous miners cease mining. All you need is one miner, somewhere, that has a copy of the chainstate, and the system makes forward progress.

[CuriousCosmic]

At least on Cardano, slashing is extraordinarily unlikely and only occurs during recovery from a successful attack. The idea being that the community forks from the moment before the attack and slashes the funds from the attacker. In the case of a zero-day or other attack where the stake pools are forced into being unwilling attackers due to circumstances excluding negligence, KES keys are invalidated/regenerated and the pools don't have their funds slashed. Additionally, delegators either end up taking a leap of faith with their existing pool or more likely move to uncompromised pools.

Recovery is an inherently manual process as either stake pools or miners must actively choose to switch to the new fork (at least initially). This doesn't return to an automated process until the ball actually starts rolling again. I say this is inherently manual as all 51% attacks violate the proof (of work, stake, or any other resource) that allows untrusted collaboration. Instead the community is required to cooperate momentarily based on the collective investment and trust that has been built parallel to the operation of the network.

The difference with PoS compared to PoW during this recovery process is that in a pure attack (i.e. one not due to a software bug/zero day), the resource is permanently burned (slashed) and the recovery can occur. With PoW however the resource doesn't disappear and can always either come back or come from another ecosystem for a second attack.

Outside of the bootstrap and the recovery phase, PoS and PoW are effectively equivalent in security. PoS is slightly weaker in the bootstrap phase and PoW is slightly weaker in the recovery phase. This isn't inherently bad for either system, it's just a matter of trade-offs. Arguably I'd say this is why transitions from PoW to PoS will be much safer than a clean bootstrap. The existing network strength from the PoW era is able to protect the PoS segment while it works through the bootstrap phase.

[jude-]

Hi, notice that I'm not proactively bringing up any specific cryptocurrencies, let alone the same cryptocurrency over and over in the same thread. This is because I'm not a bagholder.

I have no interest in talking to bagholders. The science and engineering details of cryptocurrency design and implementation are by definition beyond a bagholder's comprehension. The act of holding bags precludes formulating a dispassionate understanding of cryptocurrencies -- as Upton Sinclair put it, "It is difficult to get a man to understand something when his salary depends on his not understanding it."

You see, if I was a bagholder, I would have a hard time comprehending why it's a terrible idea to fall back to the "community" trying to decide which fork is valid. If the community members had high enough trust in one another that they don't need the blockchain (specifically, a fork-ranking protocol) to come to a valid majoritarian decision on which fork is the right fork, then we really don't need the blockchain in the first place! The same sinews of trust can be used to decide what everyone's balance is at all times, since after all, the community members already trust one another to decide which transaction histories (out of many) is the true ledger. But thankfully, I'm not a bagholder, which means I can see that this assumption about the community is not viable.

Also, if I was a bagholder, I would have a hard time comprehending why attackers don't just try and buy 51% of the stake. It would be difficult for me to understand that attackers are going to take the path of least-effort, which would be the act of knocking nodes offline and/or exploiting zero-days on nodes hosting staking coins in a bid to get the network to slash enough of the honest coins that quorum can no longer be met. But thankfully, I'm not a bagholder, which means I understand this weakness.

In addition, if I was a bagholder, I would have a hard time understanding that PoW and PoS security in their "happy paths" is irrelevant. The resilience of blockchains is determined by their unhappy path behaviors. PoW requires less proactive trust and coordination between community members than PoS -- and thus is better able to recover from both liveness and safety failures -- precisely because it both (1) provides a computational method for ranking fork quality, and (2) allows anyone to participate in producing a fork at any time. If the canonical chain is 51%-attacked, and the attack eventually subsides, then the canonical chain can eventually be re-established in-band by honest miners simply continuing to work on the non-attacker chain. In PoS, block-producers have no such protocol -- such a protocol cannot exist because to the rest of the network, it looks like the honest nodes have been slashed for being dishonest. Any recovery procedure necessarily includes block-producers having to go around and convince people out-of-band that they were totally not dishonest, and were slashed due to a "hack" (and, since there's lots of money on the line, who knows if they're being honest about this?). But thankfully, I'm not a bagholder, so I understand the difference.

It's great to know that you, too, are not a bagholder, and you're continuously bringing up Cardano solely because it's a motivating but misguided example, and has nothing to do with how many Cardano tokens you own. Otherwise, I'd have nothing to say to you at all, and if HN had the feature, I'd have simply blocked you already.

[abriosi]

Thank you very much for this discussion