[ricardolopes]

The block 200 will be adding validation to the previous blocks, and will be validated by the future ones. Without other types of checks, nothing stops you from rewriting the previous 199 blocks and using block 200 to validate them.

This is not FUD, it's the most obvious PoS flaw, called long range attack, and the reason PoS chains often need more checks to be more trustworthy (e.g. keeping hardcoded checkpoints, choosing the first received block as valid, introducing penalties and so on).

[pshc]

Here’s a recent ETH2 block: https://beaconcha.in/block/2604970#votes

It was voted for by 8000+ validators. Many of them have been validating since beacon chain genesis a year ago. There are like 260k validators active right now.

I find it highly unlikely some entity is going to come along and try to pretend their alternate history, with a whole new set of hundreds of thousands of validators (which wouldn’t be supported by any ETH1 deposits) and millions of signatures signed by 260k freshly generated public keys, is in any way legitimate.

[ricardolopes]

ETH2 was years in the making, with multiple delays and not fully migrated yet precisely because of how unsafe standard PoS is. Vitalik and co spent years researching the best mitigations.

Right now, it seems to be one of the best protected PoS chains. It's still fairly new, with novel mitigations, so it still doesn't stand the test of time against all possible attack vectors.

In that sense, it still can't be considered as secure as a PoW chain with high hashrate, which is protected by thermodynamics (you can't produce more hashes than the physical energy you have access to allows).

[dathinab]

> unsafe standard PoS

Not "unsafe standard" but

"dangers/unsafe to bootstrap".

But there are ways to mitigate the bootstrapping issue to some degree.

And PoW chains tend to have a low cost at the beginning making them similar not easy to bootstrap safely (through more easy then PoS).

In the end I don't think what theoretically is better matters, what only really matters is what practically matters for big crypto currencies (and smaller ones can during bootstrap (and potentially later one) interlink with the large chains).

[DennisP]

PoS is more quantum-resistant though. If someone were to build a quantum computer capable of running Grover's algorithm on bitcoin hashes, they would get a quadratic speedup over classical miners. That's a threat that doesn't exist on PoS.

(Both would be vulnerable to Shor's but post-quantum signatures would fix that.)

[yanmaani]

PoS is not more quantum-resistant, because of the situation with Shor's algorithm, and that a key compromise would be much more damaging.

It might be, in the future, if you replaced the keys, but it isn't now. Words mean things, and it really is important to use them correctly.

(Also, wouldn't the network respond by just raising the difficulty, miners respond by buying quantum computers, and the world to spin as usual?)

[DennisP]

PoS is a class of consensus protocol, not any particular blockchain. It's orthogonal to signature algorithms. A blockchain can incorporate any combination of consensus algorithm and signature algorithm. So yes, please use your terms correctly.

If sufficiently powerful quantum computers become readily available to anyone, sure, everybody will upgrade. Given the exotic hardware they typically require, it seems likely that for a while only a few large organizations will have them.

[yanmaani]

If you're fine with changing algorithms, wouldn't PoW also be able to change to something more quantum-resistant?

[snak]

Is there a known limit for the energy to hash ratio ?

[yanmaani]

> It was voted for by 8000+ validators.

Which parts of this are checked by the client software, and which parts are just checked by interested humans in the block explorer?

There's a trade-off here. If you require 8000 guys to all vote in favor of your block, what does the client do if it only sees 7999?

> which wouldn’t be supported by any ETH1 deposits ... signed by 260k freshly generated public keys

You misunderstand. What happens if some of those private keys get compromised? In Bitcoin, if I sell my miners to someone else, it's not like they're radioactive waste that has to be buried. In PoS, someone can cause quite a bit of damage with keys that ostensibly don't contain any money. And because I've already withdrawn, I have no reason to care.

[pshc]

The system is fault tolerant. You typically get 99.X% participating. Any validator that doesn't perform their duty in a timely fashion is penalized and eventually ejected if they are disruptive.

Those private keys are useless unless you had something like 50% of all the active validators' keys. So, hundreds of thousands of private keys hacked. You're not going to be able to damage consensus using a few old leaked private keys. The best you could do would be to slash some active validators and get them ejected, but the chain would carry on finalizing without them.

[suikadayo]

Even if they tried, it’d take weeks, months to get all of their validators accepted by the chain because of the limit each day.

[seniorsassycat]

Are those 8k/260k individuals, or could they all be Syble?

[pshc]

Whoever the 260k are (and I know some of them) if they’re all one entity, they would have had to stake eight million ETH and counting into the ETH2 deposit contract.

The 8k are randomly selected from this pool of 260k validators via RanDAO every 12 seconds.

[crazypython]

How is that different from 8000-of-260k multisig?

[pshc]

It's similar in that 8k sigs are collected and coalesced to sign something. From there the differences begin. M-of-N schemes must be orchestrated ahead of time, using Shamir's or by constructing a BTC multisig UTXO or something. When signing, one may choose freely among the key shards. It's performed in the usual execution layer of the chain.

Whereas in ETH PoS, validation happens in the consensus layer, following strict self-imposed rules. With each new block, one validator is chosen to propose the block, and thousands of validators are asked to back the proposer. The proposer and attestors are chosen randomly but specifically with no freedom to mix and match; the chosen validators must attest (and receive a reward) or else be penalized. Validators don't know each other and they don't need to cooperate to create a shared key ahead of time, all they have to do is deposit and follow the rules. The signatures are agglomerated by [BLS ellipical curve stuff idk it's magic] and help to form the consensus chain itself.