Controlling 51% of all staked ETH is enough to launch some attacks, but the cost of the attack is way way higher than in PoW. The gist of it is that the community can reach a new consensus in which the malicious majority staked funds simply don't exist anymore. This means any single attack costs a lot of money, and there's a well-known recovery process to negate the attack and penalize the attacker.
A 51% staker who attempted to reverse transactions on ETH2 would be automatically penalized by the destruction of their stake. The network would keep running and the end result would be a large sudden deflation of ETH. On PoW this would be like an attacker's mining rig burning down.
A 51% staker who just censored transactions could hold out longer. If the problem were severe, the community would have to decide whether they want to manually fork off the attacker. The equivalent for PoW would be changing the hash function.
Gaining 51% can be more expensive to do on PoS than on PoW. If 10% of the tokens are staked, you need to accrue another 10% of the total market cap. On PoW, if the annual inflation rate is 2%, the hardware is good for two years, and half the mining cost is electricity, then the total value of mining equipment is only 2% of the market cap, and that's how much you'll have to spend to get 51%. (If miners are rentable, then much less for a brief attack.)
This just seems like handwringing at the circularity of using stake (i.e. past transactions) to decide what blocks get validated (i.e. future transactions.) But it's wrong:
First, attackers would need to collude to control 51% of the staked coin on the network to double-spend. There's no disincentive to stake (you won't lose coin if you're acting honestly), so stakes should approach the market cap of ETH itself.
Second, even with a 51% attack you can't keep giving yourself money to solidify your stranglehold on the network. All you can do is double-spend, which doesn't help you raise your stake. And when your attack eventually fails, you're punished by losing your entire stake - wiping out 51% of ethereum.
Finally, the "healing" the author alluded to of ETH would still happen. If an attack were carried out, and somehow managed to persist, honest miners would fork ethereum and blacklist all the coins that went into the malicious stake, rendering it impossible to mount again.
Just because security is circular in a sense doesn't mean it's insecure.
Ethereum lowered the issuance rate dramatically when it changed to PoS.
The reason it was able to do this without lowering the cost of a 51% attack is that it no longer has to rely on rewards alone. It can also apply penalties. Certain provable attacks result in automatic destruction of stake. In PoW terms, it's as if a 51% attack caused the attacker's mining rig to burn down.
1. Under PoW, a 51% attacker can continuously attack profitably. All the energy they expend gets returned as mining rewards just like normal, and they can potentially even (up to) double their rewards if they censor the other 49%. The only way to stop this aside from changing the PoW algorithm is to physically locate and seize the mining rigs.
2. Majority stakers can't change the rules of the system either.
> The threat of a 51% attack still exists in proof-of-stake but it's even more risky for the attackers. To do so, you'd need to control 51% of the staked ETH. Not only is this a lot of money but it would probably cause ETH's value to drop. There's very little incentive to destroy the value of a currency you have a majority stake in. There are stronger incentives to keep the network secure and healthy.
The keypoint seems to be that if your attack fails your stake gets destroyed so besides the positive incentives (a good stable network working for all) this system also relies on punishing failed attacks.
Proof of stake doesn't prevent 51% attacks. It eliminates the incentive. If an attacker controls 51% of coins, why would they attack the network? That would be attacking their own wealth.
>Another aspect of this is 51% attacks are recoverable for PoW, but are a permanent takeover condition for PoS networks. If a single entity ever accumulates more than half the tokens on a PoS network, they are unassailable.
This is not true. PoS has many design flavours and the one Ethereum is planning on implementing includes random selection of validators and the amount staked has no influence on the inclusion or the vote "weight".
Also with PoS an attacker will always incur economic losses similar to having your mining rig burning down if you were to try to foce a bad block through. In PoW networks attackers can keep on mixing attacks with producing normal blocks and remain profitable
Indeed, this is true. I was also assuming you would be buying the ETH from other stakers (if not, you would need $8B in ETH at spot price) and that you as an attacker have the ability to make the network desynchronous (if not, you would actually need 1/2 the total stake rather than 1/3). These are just generous assumptions that give us a lower bound on how much money it would actually take to attack the network.
> Also once a majority of stakeholder hit 51% there is no way to take away the 51%
You could do a hard-fork and slash their stake. In PoW, you can't do this.
> With PoW, an entity could theoretically out mine the 51% attacker
Not in the case of "selfish mining attack", where you may never know that an attack is happening until it's too late, you'll have little chance in defending with hashpower since the attackers will have a significant head start...
We call it a 51% attack an attack, but from the perspective of PoW it's always about the chain with the most work. Anyone is just as valid as anyone else to propose blocks. That's the point of Bitcoin: a way to always figure what the truth is, and make it as expensive as possible for people to attack/change this truth.
The only problem here is that PoW only knows one cost: hashing, and due to macro shifts in mining hardware this can sometimes go down a lot more than the value of a coin (which makes the cost of this attack worth it).
As soon as you start introducing measures to subvert this attack you are subverting either decentralization or stability. If you for example program clients to not accept reorgs deeper than 10 blocks (for example) you simply introduce new attack vectors that can split the network (into following different chains - which is even scarier than 51% attacks).
If every x blocks you snapshot the chain and force everyone to follow that snapshot you just centralized the chain, etc.
I haven’t looked through the entire thread but the challenge of recovering from a PoW 51% attack is that the attacker still holds ASIC mining power and can re-attack each new fork. The same is not true in PoS where the attacker’s funds can be targeted and effectively depleted in a fork, leaving it prohibitively expensive for the attacker to continually attack each new fork.
See the “spawn camping” description and defence in my prior link.
It seems very simple to me. The network would be controlled by custodians including exchanges and banks. And under an attack the network would be over: the malicious stakers can basically pay themselves and suffer no cost to continue the attack. Conversely with PoW there is a sustained huge expense to continue to perform an attack, and the PoW can be changed by a fork. I would never consider this to be acceptable. Not that ASICs run by China aren't currently an abysmal situation either, but that is only a problem because bitcoin has no privacy
The capability of performing a 51% attack and sustaining a 51% attack are very different. Performing a 51% attack by mining a single gets you nowhere (at most you can revert some transactions, that block will eventually be orphaned).
Today i believe, most usage of Bitcoin is for legitimate purposes. There is always lots of illegal use cases for anything with value, if it has value, people will do illegal s** to get it and will use as payment. Human nature.
The energy used since the inception of the network is what makes the network valuable.
Think of it this way: to create a cryptocurrency you need some "value" attached to it, Bitcoin does this by converting energy->work->bitcoin, you add "value" to the network in the form of energy and get bitcoin back (you get your "value" back in the form of money when you sell the mined BTC). Ethereum took a different approach (token sale + PoW) and now are moving to PoS.
Pure PoW seems the only way to launch a completely anonymous and decentralized crypto
Well, the security of Bitcoin == amount of transaction fees + block rewards. The cost to 51% attack the network is opportunity cost of mining valid transactions
So you either get secure wasteful bitcoin, or insecure bitcoin. Not really any other options with PoW
>…effectively becoming the central point where power is concentrated.
More ETH/= more power. In my understanding, an attacker would need to control half of all staked ETH to stage a 51% attack, which would require many billions of dollars. But actually exercising this control by attacking the network would undermine the network’s security/utility, potentially sending ETH to zero and obliterating the wealth of the attacker.
This is, supposedly, a strength of PoS: the more ETH you have, the less incentive you have to attack/destroy the system.
One thing I haven't been able to figure out about proof of stake is this:
if one entity somehow manages to control over half to the total ETH tokens, does this enable an attack analogous to bitcoin's 51% problem (which happens when one miner controls over half of the network's raw cpu power)?
Consistent 51% attacks rely on Bitcoin already being more-or-less worthless. If it is, then yes, the cost of terrorizing the network will be low. The same follows based on Vitalik’s argument for why PoS is supposedly too expensive to attack.
The difference is if you want to terrorize Bitcoin, you need to find energy and compute at relatively low cost compared to everyone still on the network. With Ethereum, you just need to acquire ETH.
reply