Proof of stake is incapable of producing a consensus

(my day job is developer on Proof-of-Stake Algorand block chain, I'm a developer, this may not be polished official PR) Article's theory about malicious old blocks doesn't hold up. Let's say I start a new node and verify history since the beginning. Somewhere along the line I'm connected to a malicious node which hands me a fictionalized block. It would need to have been signed by not just one but about 30-45 accounts _which had stake at that time_. Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network. So, if Warren Buffet comes along and wants to spam our network, I guess he could, but that would destroy the network and destroy his value that he sunk into the network. _That_ is a guardrail for PoS systems as much as any crypto or consensus-protocol element (and the algorithms are right, original article misunderstands them).

PoW systems rely on the &quot;phone a friend method&quot; as well. When you download a Bitcoin client from a &quot;friend&quot;, you are trusting them to honestly introduce you to the network. If you fall asleep for a period of years, you have to trust your friends to honestly inform you of all of the PoW forks and policy changes that have occurred over that interval. The only difference is that PoS blockchain clients must be bundled with a modestly-recent block hash along with the thousands of lines of code that you have no practical way to audit.<p>The problem eventually reduces to Ken Thompson&#x27;s &quot;Trusting Trust&quot; [1] problem. There&#x27;s no way to externally validate the honesty of any system (cryptocurrency, or otherwise).<p>[1] <a href="https:&#x2F;&#x2F;www.cs.cmu.edu&#x2F;~rdriley&#x2F;487&#x2F;papers&#x2F;Thompson_1984_ReflectionsonTrustingTrust.pdf" rel="nofollow">https:&#x2F;&#x2F;www.cs.cmu.edu&#x2F;~rdriley&#x2F;487&#x2F;papers&#x2F;Thompson_1984_Ref...</a>

Proof of work has always had an economic flaw that you could theoretically temporarily rent enough mining power to perform double spends of more value than the cost of renting those devices.<p>But this attack has never been performed because the reality of all these cryptocurrencies is that the security depends only relatively weakly on proof of work. Instead it relies on trust between the main stakeholders: miners, big nodes and developers. This is just like any other human organisation. That trust is only reinforced by proof of work, making it easier for new parties to become trusted.

He lost me at the part where he thinks you can sign messages after withdrawing your stake.<p>The whole point of proof of stake is that you can only sign blocks or messages while you have something staked. When you withdraw you are no longer allowed to sign anything.<p>He also didnt need to spend 1000 words going on about the history of bitcoin and proof of work.<p>This is literally just a filler piece with a provocative clickbait title to stir up the anti cryptocurrency folks here

Is this FUD from Bitcoin maximalists?<p><i>&gt; That key is valid to sign any number of versions of, let’s say, block #200, and there is no objective, system-internal standard for which version is legitimate, other than “the one that was published first”.</i><p>The real block #200 will have hundreds of attestations courtesy of randomly-selected validators, each of those signatures attesting to its validity and finality.

The author has good points, bad points and badly explained stuff. The article is a bit confusing at best and disorientating at worst.<p>But I&#x27;ll try to explain here, why the author thinks that PoW is magical. It&#x27;s still bound to the readers, or philosophers, to pull whatever they want from this.<p>Proof of Work creates time. In a decentralized system, you don&#x27;t have time. If time was provable, the double-spending problem would not happen. You would sign a transaction and broadcast it; a second transaction that you would sign later, will have a higher timestamp. Obviously, you can sign a transaction later and have a lower timestamp, there is nothing that prevents you from that.<p>What Proof of Work does, is create an arrow of time. Using this arrow of time, the nodes create a ledger (the blockchain).<p>The OP is arguing that PoS cannot create an arrow of time; and as a result, the PoS is still liable to the double-spending problem.

&gt; Proof of stake is a scam. When I say that, I mean that proof of stake is (1) claimed to be a consensus system, and (2) constitutionally incapable of actually producing a consensus.<p>Ok. Go break one of the many existing systems that operates using proof of stake then. If you&#x27;ve done this, you should be leading your article with it. If you haven&#x27;t, you shouldn&#x27;t be speaking.<p>Proof of stake is not some theoretical thing being proposed in the abstract. Many systems operate on it as we speak.

While the discussion about consensus algorithms is interesting and each side has good points, it should not be confused with the much more pertinent decision about simbolic currency (conceptually similar to fiat) versus proof of burned resources money (conceptually similar to gold).<p>We should not confuse the two topics. It&#x27;s entirely possible to have a chain where the consensus is established by PoW, yet the monetary base is created by decree without any wasted resources, for example gifted to some charities or dropped by helicopter to anyone who has a Twitter account.<p>While the security PoW chains create is proportional to the amount of resources spent, there is absolutely no reason to think the current level of burn in Bitcoin is optimal - and strong reason to think that there is massive waste, that is, Bitcoin protects against double spend to a degree orders of magnitude harder than what a credible attacker might be willing to spend. What results is wasted energy that brings no tangible security to the users of the currency.

PoS is a flawed system that enriches the project founders primarily. Just look at Charles Hoskinson or Gavin Wood.<p>PoW is apparently bad for the environment. So it leaves us in an interesting situation.<p>The Ethereum project has shown that the concept of decentralization only applies when it&#x27;s on their terms. It&#x27;s not a true principle.

I&#x27;m blown away by how quickly this rose on HN and how unconvincing it is.

As far as I am aware, these long-range forks can be hindered by using verifiable delay functions (VDFs) [1, p. 6]. Essentially, VDFs take a certain amount of steps to compute and cannot be parallelized. However, the correctness of their output can be verified efficiently.<p>Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.<p>Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].<p>[1] <a href="https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2018&#x2F;601.pdf" rel="nofollow">https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2018&#x2F;601.pdf</a> [2] <a href="https:&#x2F;&#x2F;www.chia.net&#x2F;assets&#x2F;ChiaGreenPaper.pdf" rel="nofollow">https:&#x2F;&#x2F;www.chia.net&#x2F;assets&#x2F;ChiaGreenPaper.pdf</a>

I thought I understood what author says. After reading comments, I am lost again. I will continue my journey clueless, without ever touching this burning pile of trash with scammers on top.

After reading this whole article, I find it really scary that something like this can get so much attention.<p>It looks like the author read about PoS circa 2014 and hasn&#x27;t read anything written or done since then. It&#x27;s true that the &quot;nothing at stake&quot; problem exists, but there are tons of practical solutions and mitigations that work, many of which are already deployed and protecting &gt;$100M. Soon ETH will be securing trillions with such mitigations.<p>To address the specific points the author makes:<p><pre><code> 1. If a node signs another version of the same block within a reasonably short time period, “slash” their deposits (e.g. punish them inside of the system) </code></pre> You don&#x27;t have to know which came first, just like in BTC. You just need a longest chain rule with the property that the longest chain is final after a certain point (subject to certain assumptions about the % of stake that is honest). This is how nearly every blockchain works and it&#x27;s not special in proof of stake.<p><pre><code> 2. If a node signs another version of the same block, like, a year later, just ignore it. </code></pre> Yes, that&#x27;s fine. Lots of chains do this. It&#x27;s called a &quot;finality mechanism&quot;. Even ETC has one called MESS while still using proof of work (although MESS is probably broken). Bitcoin could add one too. This is orthogonal to PoS vs PoW.

I&#x27;m trying to understand the central technical argument being made here. Please tell me if I got this right.<p>---<p>Somebody has a stake in a PoS crypto currency. They can now do two things: 1) sell their stake 2) sign something fraudulent (like a double spend).<p>Since there is no decentralized timestamp service, a node validating those two actions doesn&#x27;t know how to order them, so different validating nodes come to different conclusions, and no global consensus is reached.<p>---<p>Is that what the article is trying to say?<p>And if yes, isn&#x27;t the solution fairly easy? Within the same &quot;chain link&quot; of the block chain, require each action singed by the same private key to have a strictly monotonic sequence number, and if two actions appear with the same sequence number, discard both these two and all actions signed by that private key.

This is like two homeless people arguing who is richer.<p>Yes both PoW, PoS solve the double-spend problem, but in a brute-force way. And they never really get rid of the ambiguity of which chain is the one to go by. They just aggregate all the little ambiguities into one or another consistent version of history (a chain) and let them duke it out by massive electricity or stake or whatever. But at any moment, someone could have been mining a chain in “secret” and will emerge to thwart the rest of the network for a while.<p>There is a better way. Blockchains are actually quite centralized since to make any progress every N seconds you need to send all transactions in the entire world to one miner, and the block is limited in size. Actually it’s worse than that in Proof of Work — because you don’t know who will solve the silly problem, you have to gossip every transaction to every miner!<p>Oh yeah, and if you store UTXOs then you have to store the history of everything. And even if you didn’t, you have to store the current state of everything. Oh how nice and decentralized! LMAO

This person doesn’t have any idea how PoS works and all of the people upvoting it don’t either.<p>It’s very astonishing that the HN crowd still doesn’t understand blockchain after 13 years.<p>The article is complete nonsense because:<p>1. The author thinks that PoS is about having computing power. If someone thinks that they seriously don’t know anything about PoS and haven’t done any research<p>2. Proof of Work is 100x more centralized because 2 companies control the majority of mining equipment production and 4 companies control the hashpower including all kinds of attack vectors, instead of the around 200 entities in PoS.<p>3. There are many attack vectors for the PoW model of which many only require malicious behaviour of 1 person, be it the CEO of one of these companies or a disgruntled worker that is bribed with a couple of million dollars.<p>3. The cost of taking over consensus for a PoS network, such as Solana or Ethereum 20 requires billions or trillions of dollars worth of coins that then all would rank heavily in value<p>That’s why PoS is around 1,000x -1,000,000x more secure than PoW depending on how big the market cap of the PoS network is.

Do people deploy PoS chain clients that are ok with blocks that totally ignore the historical leader schedule or use a leader schedule that could not have resulted from the distribution of stake in the network at the time? If not, how will the attacker who wants to swap out a single block a year later get all the other validators to sign a year worth of new blocks?

The most important part of this post doesn&#x27;t even have anything to do with cryptocurrency:<p>&gt; If the broad masses of people disagree with the platform landlord, their opinion will be altered to conform with the rules, or else they will no longer have a voice.<p>We really need to fix that problem.

&gt; If you have a file on a computer, despite what NFT promoters believe, it is not possible to prevent people from copying it.<p>Not sure if these quips are meant to be jokes or serious, but nonsense like this detracts from the credibility of the argument. Nobody believes the data corresponding to an NFT cannot be copied.

My opinion on PoS is that because no other community that I know of outside of bitcoin has a culture of running nodes normal people will just stake through exchanges. Now you have these exchanges acting not only as the in and out ramps but also as the biggest network validators meaning that they can direct transactions. Congratulations. You’ve just went full circle and invented central banks.<p>Am I wrong? Would gladly read counter arguments.

If it’s scam, the article could have presented a stronger case for it. The objection seems theoretical. If PoS is broken, I would expect to see a plausible attack spelled out.

My general observation is that blockchains are, at best, secure in the same way https is secure. Yes I have padlock icon on the browser address bar, and my connection is secure, there’s a security certificate, but the whole thing can still be a scam.<p>Who personally verifies every contract they use? Wallet implementation? Cold wallets are closed-source, trust-me devices, maybe with a security certificate from a centralised, government-linked security org.<p>The strongest link in any security chain is not irrelevant, but the whole system is really not perfectly trustless anyway.

The author&#x27;s objection to proof-of-stake seems to be based entirely on some ostensibly-inherent vulnerability to the nothing-at-stake problem, but at least one consensus protocol¹ has had explicit mitigations against that vulnerability (and numerous others) for almost half a decade now, and I&#x27;d be very surprised if other protocols haven&#x27;t adopted any mitigations at all.<p>¹: <a href="https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2016&#x2F;889.pdf" rel="nofollow">https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2016&#x2F;889.pdf</a>

This is a silly article. Only working in a weaker security model does not, a priori, mean that proof of stake is a scam; it just means you need to convince yourself that the weaker security model holds. You can read the post linked (<a href="https:&#x2F;&#x2F;blog.ethereum.org&#x2F;2014&#x2F;11&#x2F;25&#x2F;proof-stake-learned-love-weak-subjectivity&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.ethereum.org&#x2F;2014&#x2F;11&#x2F;25&#x2F;proof-stake-learned-lov...</a>) and decide for yourself.<p>Personally, I think this kind of &quot;quiescent&quot; knowledge, letting you differentiate the real chain from the fake chain on long enough timescales (which basically amounts to knowledge of a single hash, when you get right down to it), is perfectly reasonable to assume under realistic circumstances, for the same reason that synchronized time is not a remotely difficult problem on long enough timespans. The only problem lies in new nodes (that enter the system when there&#x27;s <i>not</i> a quiescent state, and the longer chain is being withheld) being exposed to fake chains.<p>By using a VDF as mentioned below to make sure it takes just as long to construct a new chain as it took to construct the old one, one can ensure that as long as <i>at the time the stakers held their keys</i> (rather than for all time) a majority were trustworthy, then the probability that they were able to maintain a longer chain becomes vanishingly small. Therefore, nodes will be able to reliably choose the longer chain on reconnecting to the system. This trust model seems pretty realistic to me, and it&#x27;s not like Bitcoin can handle the case of a continuous partition to begin with.<p>So this just reduces to &quot;once a majority is not trustworthy, the chain can&#x27;t be trusted anymore&quot; which is the <i>actual</i> security tradeoff of PoW vs. PoS (PoW puts trust in hashpower rather than staked coins, so by definition it&#x27;s immune to this sort of issue; if your private key is stolen you &quot;only&quot; lose your coins, not any voting power). I don&#x27;t think this is news to anyone who&#x27;s done much research into cryptocurrency.

I&#x27;ve invented a new get high quick scheme called &quot;NFTHC&quot;, which is based on &quot;Proof of Weed&quot; instead of &quot;Proof of Work&quot;.<p>It&#x27;s 100% green, and based purely on sustainable renewable resources.<p>NFTHC: Burn Weed, Not Coal!

Tezos is Proof of stake, decentralized and clearly has consensus, the three things the author argues cannot occur in a proof of stake system.<p>I did not find this post convincing especially as many proof of stake systems have been running consistently for years now and with significant transaction and economic volume.<p>As an example Tezos has decentralized apps such as liquidity pools, collateral based stablecoin systems, nft ecosystems, coin bridges to other networks such as Ethereum (two way) I use these smart contracts on a weekly basis and have done for a long time now.<p>Tezos manages several orders of magnitude more transaction throughput based on opcode count count vs Bitcoin, transactions, even complex ones cost pennies the network has not been attacked, is worth billions and Tezos energy usage is easily a million times less than Bitcoin.

Am I understanding this correctly; is the threat model that a block signer, some time later after liquidating their stake, can go and publish arbitrary versions of that older block?

Has anyone ever not been accused of being a scammer in this space?

I was thinking deeply about the threat model in a PoS posed about coordinated pooling of resources to effectively mimic the size of a large institutional borrowers with high collateral, i.e. proof of work in the present economic system (US Dollars gathered by him by providing real world value).<p>The main reason proof of work works so effectively is that it deals in physics with the actual expenditure of electricity as the punishment system for failing to produce the correct desired outcome.<p>Abstracting this away again, we have reality itself to content with. Evolutionarily we have evolved in respect to the dominance hierarchy (<a href="https:&#x2F;&#x2F;youtu.be&#x2F;rUiG5_GcMyY" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;rUiG5_GcMyY</a>) Where effort itself is a necessary precursor to ascending the ranks and being fit to lead.<p>Not to get too metaphysical, but essentially it boils down to:<p>- Social Status is based on real world implications and not self derived from the perceived ranking itself, that is if it is to be most stable across time. Being labeled the boss is essentially useless long term unless you truthfully represent the ideal or most capable individual. (Michael Scott from the television series The Office is a funny example of this)<p>- PoS offers reliability for the system based on its election of stake amount in the system that favors inventors, early adopters, and pre ordained position holders where distribution was not derived from effort in the real world with non-reversible consequences (burning electricity)<p>- Instead the selection mechanism its own value structure which may or may not accurately assess competence for reliable trust in a domain where zero-trust is key to consensus.<p>- Outsourcing consensus to something mediated by the laws of physics is more stable across time, and is yet another abstraction upon competence taking it outside the realm of US Dollars for social proof, but also adding in the component of physical consequences towards the chain of proof.<p>I&#x27;m also thinking as I write this that it would be important to consider changes in the environment as useful to the selection pressures. Why purely basing it upon success (stake) at one point in time is non-useful as the rules of the game may change, or reputation lost or abused in a PoS system would not accurately reflect changes in the need for rotation of positions of voting authority.

I&#x27;ve heard of proof of time, proof of space, proof of authority... What other oddball mechanisms are out there?<p>eg. Anything like &quot;proof of latency&quot;?

Everything else about cryptocurrency in a scam, and people promoting it are scammers, so this is not exactly a surprise if true.

This article completely misunderstands proof-of-stake and the distributed consensus space in general. Both proof-of-work and proof-of-stake are mechanisms for making distributed consensus sybil-resistant.<p>Distributed consensus is the problem of getting a bunch of computers to agree on some state when some of the computers can behave maliciously. In the case of cryptocurrency, the state is a log of transactions, which when replayed tells you who owns what. There are well-known algorithms for distributed consensus, such as Paxos and Raft, that are used in real-world applications, e.g., the Chubby lockservice.<p>Distributed consensus algorithms can be proven to reach consensus as long as at most a fixed percentage (e.g., 1&#x2F;3) of the computers are behaving maliciously. This assumption is fine for applications like Chubby, where Google is running all 5 of the computers participating in the consensus, and no one can add additional computers. However, this assumption breaks down in the case of cryptocurrency, where anyone can spin up computers to participate. In fact, an adversary can effectively spin up an infinite number of computers. This form of attack is known as a sybil attack.<p>Proof-of-work and proof-of-stake add sybil-resistance to distributed consensus algorithms by requiring the adversary to commit a scarce resource in order to participate in the consensus process. In the case of proof-of-work, the scarce resource is computing power. For proof-of-stake, the resource is the currency secured by the system itself. This may seem a bit circular, but it&#x27;s fine. In order to attack the system, the adversary would have to purchase or borrow a bunch of the currency on the open market, which has an economic cost. Proof-of-work permits the same attack, where the adversary buys or rents computing power instead.<p>From this perspective, the bitcoin consensus algorithm is in fact the odd one. Most distributed consensus algorithms (like Paxos and Raft) rely on some kind of voting system.

Proof of Steak is obviously better: <a href="https:&#x2F;&#x2F;meatver.se" rel="nofollow">https:&#x2F;&#x2F;meatver.se</a>

&gt; To use an analogy, it is as if someone would sit down to design a building in the following way: first, they draw how they would like for the exterior to look. Then, they draw how they would like for the interior to look. They make basic measurements, to confirm that the interior does not exceed the exterior in terms of dimensions. They then suggest that the house is plausible, and send it off to the construction workers to build.<p>For what it’s worth, this is how plenty of buildings are designed. Ignoring silly things like the inside not fitting in the outside, an architect may design the building and hand it off to a <i>technical architect</i> who works out how to make it stand up and has some back and forth with the architect modifying the design. At a later stage it goes to a structural engineer who will make sure that it really is likely to stand.

Not really, its unfair but not a scam. Can we talk about the actual scam known as layer 2 rollup chains? Optimism is completely centralized and even Vatalik is shilling it like a good thing. At least the PoS shill makes sense, it artificially benefits early adopters.

Developing PoS systems for 8 years, the research is completely dated on both old Bitcoin-like PoS and modern PoS.<p>That, and the author has a wrong understanding of the Nothing at Stake problem. At the time, the argument was there was nothing stopping someone from staking on multiple forks to hedge their bet on the dominate chain, giving them nothing at stake on the forked branches since the get equal ownership on each chain.<p>Mind you, Nakamoto consensus is pretty awful and completely ignored these days. Why do you believe that nodes flagged for support of protocols and miners with dominate hashrate LOST the big block debate? Because of the nodes, and community consensus.

Why the change in HN title? &quot;Proof of stake is a scam and the people promoting it are scammers&quot; is clickbait for sure but it&#x27;s the author own title and it is the subject of the article.

I am a retired PoW miner and whereas on one hand I think proof of work is a revolutionary, life altering idea, on the other hand it is a self fulfilling apocalyptic premise with no endgame.

I think what rubs a lot of people wrong about PoS is that it puts a name behind the validator and people don&#x27;t trust people. One may claim that all validations require some level of trust, but it s the same reason why people trust google and not &lt;person&gt;&#x27;s link directory. And people have reasons to be suspicious because they know that when humans become actively malicious they find devilish ways to coopt others, while algoritms can just fail.

It seems the author is confused about the meaning of the word &quot;scam&quot;. PoS might not be as secure as PoW but that does not make the concept some sort of fraud.

This article is terrible and does not explain how proof of stake works let alone how it&#x27;s broken, but links to another (probably better article on etheruem.org). back to studying it for myself, then. I literally have a headache after reading the bitcoin analogy and trying to guess which parts of the analogy I will need to remember for later in the article (hint: none). It would have been simpler to just explain what a nonce and hash is.

In some systems Ive seen, bad actors get slashed (lose stake). I like pOs but it gives too much power to centralized exchanges that hold a large % of stake...

Occam’s razor points to PoW.

regarding the private mining attack:<p>proof of work proves that not just one miner had sufficient hash power, but that the entire network had a certain aggregate hash power that was required to mine the block.<p>can&#x27;t this be emulated by requiring all major stakers to sign the block? (so rather than one miner staking being enough, all the aggregate staked was required to mine the block)

Proof of work is good for jobs that require skill (science, technology, productivity, markets). It’s ok to have proof of stake (corporation shareholders) or proof of vote (communities, unions, families) for things that don’t require skill so much.

PoW came from a paper by Cynthia Dwork (<a href="https:&#x2F;&#x2F;www.wisdom.weizmann.ac.il&#x2F;~naor&#x2F;PAPERS&#x2F;pvp.pdf" rel="nofollow">https:&#x2F;&#x2F;www.wisdom.weizmann.ac.il&#x2F;~naor&#x2F;PAPERS&#x2F;pvp.pdf</a>) not Hashcash

This article is complete BS. Proof of Stake is more secure than Proof of Work for a simple reason. The cost of doing a 51% attack (to stop the blockchain or to start censoring specific transactions) on a PoS blockchain is exponential, whereas the cost of doing such an attack on a PoW network is linear. This is because as an attacker acquires more tokens, the price of remaining tokens increases exponentially as the attacker approaches the 50% mark. If the network is well decentralized in terms of token ownership, it may not ever be possible for the attacker to acquire 50% of tokens; also, their incentive to continue with the attack decreases as their stake in the blockchain increases. Unlike with PoS which requires the attacker to keep buying more (limited-supply) tokens, with PoW, ASIC miners don&#x27;t become more expensive as the attacker gets closer to having 51% of the hash power; this is because the market will produce more ASIC miners to compensate for any increase in demand. The global supply of ASIC miners has no upper bound.<p>The article is also misleading in inferring that there is a very narrow range of ways to implement PoS; in reality, there are many ways and all of the &#x27;drawbacks&#x27; mentioned only apply to certain (poorly designed) implementations which no modern PoS blockchain would ever use.<p>&gt; What happens if you’re presented with two identical blocks, and have to decide which one to pick?<p>Easy, you can just have a vote on one of the block and choose the one with the majority votes; it can be chosen on the basis of any attribute of the block (E.g. commonly you can look at block IDs). This is what PoS blockchains like COSMOS do with the Tendermint protocol. Other blockchains like Lisk have a delayed voting so that consensus is reached after a certain number of blocks.<p>&gt; The entire point of the consensus mechanism was to allow us to tell which transaction was first, without personally having seen it take place.<p>Anyone who understands distributed systems knows that the exact order of transactions (down to a few hundreds of millisecond) cannot be physically determined due to latency between the nodes and the unpredictable geography of participants. This is as true for PoW as it is for PoS. The most important thing (for certain use cases such as DeFi) is that transactions cannot be predictably front-run; using block ID ordering with voting as the basis for selecting between two valid blocks guarantees this. If the forger tried to cheat the system by producing multiple blocks, the network may not be able to reach consensus on the block vote and the forger would not receive any block rewards.

If POS is really as bad as claimed, then why is Ethereum 2.0 going to be using POS?

&gt; If a node can present a lottery ticket of rarity one-in-a-million, the network can conclude the node did about a million lottery tickets’ worth of work, on average.<p>This is not true. You will have scratched far fewer tickets on average than one million.<p>If you have one million tickets, one of them guaranteed to be a winner, you will on average scratch exactly half of them (500 000) before finding the winning ticket. If you have an infinite supply of tickets, each with a 0.000,001 chance of winning, the number becomes higher, but the number of tickets scratched on average is still lower than one million.<p>Finding an error regarding something I know makes me skeptical about the rest of the article.

I&#x27;d expect we get more and more of these pieces as Ethereum gets closer to moving to proof of stake. The current estimate is that it&#x27;ll transition 2022Q1

I don&#x27;t understand the &quot;nothing at stake&quot; problem. Can&#x27;t it be solved by just not allowing people to withdraw the coins they have staked?

The author suggests proof of space as an interesting option but then deliberately avoids commenting on Chia’s implementation of proof of space time. Can someone explain that to me? Is it the pre-mine that drives people away? If so there is already a fork (Flax) with a much smaller pre-mine that is surely worthy of assessment and scrutiny at an algorithmic&#x2F;system level... Or is the author simply acknowledging they aren&#x27;t ready or qualified to comment on PoST versions of Nakamoto consensus?

An intentionally dishonest article.<p>The actual truth is that PoS is infinitely safer than PoW in the short to medium term, while theoretically weaker in the long term. A long-term attack would require first buying obsolete signing keys, which would stop nodes that sync starting from the pre-fork point from syncing - ie. a denial of service attack. Which is in a very weak threat, as online nodes wouldn&#x27;t even notice it. A short to medium term attack would stop finalization for a while at an enormous cost of slashing. It&#x27;s a denial of service attack because nodes would be able to see contradictory signing from the same keys - so while without out of band data they won&#x27;t be able to decide which one is the commonly accepted chain, it&#x27;s enough information to recognize than an attack is happening.<p>PoW is very weak in the short term to medium term because runtime cost of attack is equal to mining rewards + epsilon, which is negligible, meaning it&#x27;s just a question of hardware. Contrary to PoS, mining hardware is an external resource - it&#x27;s always possible to get enough of it, given enough money (single digit billions for bitcoin). Getting 2&#x2F;3 stake of a long-running PoS system is impossible - it&#x27;s a scarce internal resource and there isn&#x27;t enough for sale.<p>Reverting years of blocks is indeed infeasible - but interestingly in practice it would also amount to a DoS attack, as everyone would notice it and pause all payments. Contrary to PoS, where it would only work on newly syncing nodes, it would stop everyone. However, while theoretically more expensive, it&#x27;s still only a matter of money - while a long-run DoS attack against newly syncing nodes in PoS would require buying obsolete keys, which is very likely to be impossible in practice.<p>Is this even an advantage? I don&#x27;t think so, but it&#x27;s arguable. However, for this singular arguable point PoW pays with a 4 orders of magnitude higher cost and a much, much weaker short and medium term security.<p>Empirically, lower security of PoW is confirmed: multiple 51% attacks happened (most famously ETC), while even a much weaker DPoS coins never had a successful double spend attempt.<p>In terms of public trust, not many people are able or even interested in technical arguments - they just observe if something works. In reality, consensus-level attacks are very rare as it&#x27;s currently very hard to profit from them regardless of the consensus method, and the biggest danger is from software bugs in nodes, most likely unrelated to consensus.<p>If any PoW blockchain became a foundation of global commerce, attacking it would become very profitable, or even a military target - but that&#x27;s never going to happen. So I don&#x27;t expect bitcoin to get 51% attacked in any near future - at best years in the future when value of block rewards is so low one person with lots of old mining hardware can attack it just for fun.

What is preventing someone from DDOS a cryptocurrency network by spamming it with inane transaction between 2 people?

Decred witch is a dao focused on evolving with governance had an interesting block reward split, 60% miners, 30% pos (you get chosen randomly) and 10% tresuary.<p>Seems miners have been driving the price down for years and a new proposal just was written to give them only 10%, and 80 to stakeholders.<p><a href="https:&#x2F;&#x2F;proposals.decred.org&#x2F;record&#x2F;427e1d4" rel="nofollow">https:&#x2F;&#x2F;proposals.decred.org&#x2F;record&#x2F;427e1d4</a>

Crypto is a weird space. Firdt thing to make clear is if OP has a vested interest in another blockchain platform

Flagging this post, because most definitions of scam involve fraud and here is not fraud involved.

When you see articles like this, buy more Ethereum not less. It means they are scared of it.

Are there known issues&#x2F;vulnerabilities with using something like Proof of History?

Proof-of-stake is the closest thing to centralization there is in cryptocurrency.

&quot;everything I didn&#x27;t manage to gain from is a scam&quot; - the article

Does proof of history as implemented by Solana find a middle ground here?

PoW only works for the biggest chains that use the specific heading Algo. Smaller PoW chains regularly experience re-orgs.<p>IMO PoW for the bigger chains produce far too much waste &amp; none of the supposed PoS attacks have materialized even though hundreds of millions are up for grabs

I really like the analogue with aluminium smelting. This is what bitcoin mining is nowadays, plus the increasing difficulty.<p>Prof of stake is analogous to Wall Street institutions and probably modelled after them.

What about delegated proof of stake?

The cope is strong with this one.

Speaking of POS scammers, what ever happened to Richard &quot;Dodge Dodge&quot; Heart, winner of the &quot;Golden Pump Award&quot; for &quot;Best New Scam&quot; for his POS get-rich-quick pyramid scheme called &quot;HEX&quot;, who falsely claims that proof of stake is a proven successful replacement for proof of work, and who shills HEX and tries to recruit unsuspecting developers and victims here on HN and many other places, by making illegal false claims of providing CDs (certificates of deposit)?<p>To be fair, I&#x27;d love to hear him chime in on this discussion, and tell his side of the story, relate his exploits and prosecution as a viagra spammer, and finally answer all those unanswered questions people have asked him, to which he replied &quot;Dodge Dodge&quot;.<p>Not that he&#x27;s unique or special: POS shills like him are a dime a dozen. But he hangs out here and shills on HN, and has won awards for his deceptive scams (and also lost court cases too), and claims to &quot;help people&quot; on his web site, so I hope to hear from him again.<p><a href="https:&#x2F;&#x2F;richardheart.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;richardheart.com&#x2F;</a><p>His real name is actually Richard J Schueler, under which he is famously known as the &quot;Spam King&quot;, for being one of the first people in the world to be successfully sued for online spam, specifically the Viagra spam scheme that he ran from Panama (which he lost).<p>Richard Hart (aka &quot;Spam King&quot; Richard J Schueler) wins the &quot;Golden Pump Award&quot; for &quot;Best New Scam&quot; for his POS shitcoin Ponzi scheme &quot;HEX&quot;:<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;JuanSGalt&#x2F;status&#x2F;1233242355995750400" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;JuanSGalt&#x2F;status&#x2F;1233242355995750400</a><p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?time_continue=857&amp;v=tf-lJu5iDh8&amp;feature=emb_logo&amp;ab_channel=WorldCryptoNetwork" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?time_continue=857&amp;v=tf-lJu5iDh...</a><p>Peacefire.org beats spammers in court.<p><a href="https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;peacefire-org-beats-spammers-in-court&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;peacefire-org-beats-spammers-i...</a><p>&gt;Free-speech group Peacefire.org wins a legal round in its fight against unsolicited e-mail, invoking Washington state&#x27;s anti-spam law.<p>&gt;The King County District Court in Bellevue, Wash., on Monday granted Peacefire $1,000 in damages in each of three complaints filed by Peacefire Webmaster Bennett Haselton. The small-claims suit alleged that Red Moss Media, Paulann Allison and Richard Schueler [who now operates under the pseudonum &quot;Richard Hart&quot;] sent unsolicited commercial messages to Haselton that bore deceptive information such as a forged return e-mail address or misleading subject line.<p>Confronting Richard Heart of HEX - SPAM KING and Crypto Scammer<p><a href="https:&#x2F;&#x2F;www.cointelligence.com&#x2F;content&#x2F;confronting-richard-heart-of-hex-spam-king-and-crypto-scammer&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cointelligence.com&#x2F;content&#x2F;confronting-richard-h...</a><p>&gt;During ANON Summit 2020, I participated in a “fireside chat” with Richard Heart, founder of HEX. HEX is one of the most sophisticated, if not THE most sophisticated scams I have ever seen.<p>&gt;Why was I so aggressive with Richard? I have a lot of experience fighting with scammers, at events, and in online discussions. I’m familiar with their bullshit techniques. Richard is the sort of “master debater” who will answer a question without actually answering the content of the question. I watched more than 6 hours of his previous talks and learned how to tell when he was trying to avoid a real answer.<p>&gt;If you don&#x27;t want to sit through hours of interviews yourself, this 4 minute video not only sheds light on Heart&#x27;s motivation for establishing HEX, but also shows just how abrasive and crude he can be. This video was not created or edited by Cointelligence.<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=_MIdlXHedlU" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=_MIdlXHedlU</a><p>&gt;I want to draw your attention to the quote in the video above: &quot;What am I going to make more money doing? Promoting my token, that I own a whole ton of? Or promoting bitcoin, where I own one-one zillionth of the available supply?&quot; He&#x27;s clearly in this to make money for himself in any way possible. [...]<p>&gt;When asked why HEX was not categorized as a security, at around the 21 minute mark, Richard offered an explanation that has no legal grounding. On the website, HEX claims that it is &quot;The first high interest blockchain certificate of deposit.&quot; However, HEX has no legal authority to issue CDs. Richard is illegally claiming to provide CDs when in fact the instruments are nothing but glorified savings accounts.<p>More quotes: &quot;What&#x27;s up now, f<i>ggot? What are you going to do now, you little b</i>tch? Get the fuck out of here! That&#x27;s the dumbest piece of shit I&#x27;ve ever seen in my fucking life. [...] Let me give you some more bullshit, ok?&quot; -Richard Heart aka Richard J Schueler<p>Richard Heart - Spam, ICOs, and Death Threats<p><a href="https:&#x2F;&#x2F;imnotdead.co.uk&#x2F;blog&#x2F;richard-heart" rel="nofollow">https:&#x2F;&#x2F;imnotdead.co.uk&#x2F;blog&#x2F;richard-heart</a><p>Richard James Schueler - Friggin Spam King<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20190416235350&#x2F;http:&#x2F;&#x2F;www.panama-guide.com&#x2F;article.php&#x2F;20070926122502156" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20190416235350&#x2F;http:&#x2F;&#x2F;www.panama...</a><p>Why HEX is a Ponzi and not a solid investment (Part 2): Richard Heart<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;CryptoCurrency&#x2F;comments&#x2F;kwhjxa&#x2F;why_hex_is_a_ponzi_and_not_a_solid_investment&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;CryptoCurrency&#x2F;comments&#x2F;kwhjxa&#x2F;why_...</a><p>&gt;During the interview at ANON, Richard confirmed that he was one of the first people in the world to be sued for online spam, back in 2002. This shows us Richard has experience abusing unregulated markets, as he is doing with crypto these days.<p>Richard: this an accurate quote of your own words?<p>&gt;When I pressed the matter and asked for a simple “yes” or “no” as to whether he, as the FOUNDER of HEX, knows who benefits from the funds sent to the “Origin Address” he flat-out said “I’m dodging your question.” Dodging the question! He proceeds to repeat “Dodge, dodge.”<p>Richard, your tag-line &quot;Do you want to develop my new cryptocurrency?&quot; is the new &quot;Do you want to develop an app?&quot;<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=jVy0JWX5XEY&amp;ab_channel=AdultSwim" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=jVy0JWX5XEY&amp;ab_channel=Adult...</a><p>&quot;Dodge, dodge.&quot; -Richard Heart aka Richard J Schueler

hashcash was not obscure even before bitcoin came out

Whether PoS will work, I don&#x27;t know. But the author didn&#x27;t realize that PoW is certainly doomed.<p>PoW miners tend to spend more and more resources on finding blocks, until the cost approaches the rewards. But the rewards go up as the cryptocurrency becomes more popular, because the price and transaction fees go up. Therefore, a PoW cryptocurrency tends to &quot;eat the world&quot; as it becomes bigger.<p>That&#x27;s why Bitcoin is already approaching 1% of global electricity consumption, if it hasn&#x27;t passed that point already. If the price were to go up tenfold, then so would electricity usage (roughly). That&#x27;s not sustainable, both technically for grids and economically because electricity prices go up.<p>Because of that, I foresee two possible futures for PoW cryptocurrencies:<p>1. The resource usage overshoots and PoW collapses because it gets banned everywhere. (This seems to be playing out now with China having banned crypto mining, Kazakhstan running into grid issues because of the miner influx, and Sweden arguing for a ban in the EU.)<p>2. The popularity of these currencies stops growing and only some niche applications remain. Speculators leave because there&#x27;s no more money to be made. Prices go down.

Why do unsophisticated, redundant, vitriolic takes like this get upvoted on HN so much? Is there some common ax to grind here?<p>The strongest point here is the strawman presentation of the altered security model that PoS can be proven to form consensus under. Reading the source he cites is far more informative: <a href="https:&#x2F;&#x2F;blog.ethereum.org&#x2F;2014&#x2F;11&#x2F;25&#x2F;proof-stake-learned-love-weak-subjectivity&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.ethereum.org&#x2F;2014&#x2F;11&#x2F;25&#x2F;proof-stake-learned-lov...</a><p>The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model. All of these topics (including valid ETH criticisms) are discussed in much better ways in many other places.

Can&#x27;t wait for the day all PoW mining activities are declared illegal.<p>To be honest, I don&#x27;t understand why it hasn&#x27;t been banned already.<p>Sweden has recently called for a EU wide ban because it identified PoW mining as a threat to transition their economy to renewable energy.<p><a href="https:&#x2F;&#x2F;www.fi.se&#x2F;en&#x2F;published&#x2F;presentations&#x2F;2021&#x2F;crypto-assets-are-a-threat-to-the-climate-transition--energy-intensive-mining-should-be-banned&#x2F;#dela" rel="nofollow">https:&#x2F;&#x2F;www.fi.se&#x2F;en&#x2F;published&#x2F;presentations&#x2F;2021&#x2F;crypto-ass...</a>

The author takes issue with the Phone-a-friend-consensus (PFC) for establishing base consensus. I disagree with his objection for two reasons:<p>1. For all consensus systems, at least a vast majority will rely on PFC for base consensus since they will not personally audit the client software they download, and thus will rely on PFC to determine which software distribution channel to trust to download the client software from. In other words, there is in practice no pure PFC-free consensus protocol, to be taking such a hard stance on Proof of Stake for its reliance on it.<p>2. The Schelling Point PFC in Proof of Stake will always be the real order of transactions, and therefore PFC will be highly reliable. Cases like Bitcoin&#x27;s block size hard limit dispute, and Ethereum&#x27;s DAO hack rollback dispute, dealt with something other than order of transactions, and in both cases, the dispute was severe enough to lead to a hard fork - which jettisonning PFC can&#x27;t protect against - regardless.