Proof-of-Stake at Stake: Predatory, Destructive Attack on PoS - - PowerPoint PPT Presentation
Proof-of-Stake at Stake: Predatory, Destructive Attack on PoS Cryptocurrencies 3rd CryBlock @ MobiCom 2020 25th September 2020, Virtual Suhyeon Lee (Speaker) and Seungjoo Kim* School of Cybersecurity, Korea University {orion-alpha,
Suhyeon Lee (Speaker) and Seungjoo Kim*
3rd CryBlock @ MobiCom 2020 25th September 2020, Virtual
School of Cybersecurity, Korea University {orion-alpha, skim71}@korea.ac.kr
* Corresponding author
Proof-of-Stake (PoS) is getting a vote power from the behavior “staking” which makes some amount of coins bonded for a while.
Proof-of-Work (PoW) mining of Bitcoin exceeded the electricity usage of Switzerland. On the other thand, staking spends little energy so eco-friendly and intuitive.
For security, PoS has two main penalties to attackers.
We will discuss again later.
Diversity of PoS
Nguyen et al., "Proof-of-Stake Consensus Mechanisms for Future Blockchain Networks: Fundamentals, Applications and
[Advantage of staking] “A minter’s chances of being selected as the next block producer rely specifically on the number of coins held and time in the form of coin age and some amount of luck.”
peercoin.net
[Condition of staking] “Minters are first required to hold coins in their wallet for a total of 30 days before they can become eligible to compete in the process of minting new blocks.”
peercoin.net
[majority attack] “A malicious actor would need to purchase enough coins ... the price per peercoin to
would likely bankrupt the attacker in the process.”
peercoin.net
[value-at-loss] “The one-sentence philosophy of proof of stake is thus not security comes from burning energy, but rather security comes from putting up economic value-at-loss”
Vitalik Buterin. 2016. A Proof of Stake Design Philosophy. https://medium.com/@VitalikButerin/a-proof-of-stake-design-philosophy-506585978d51.
[slashing] “the evidence of the violation can be included into the blockchain as a transaction, at which point the validator’s entire deposit is taken away with a small “finder’s fee” given to the submitter of the evidence transaction.”
Vitalik Buterinand Virgil Griffith. 2019. Casper the Friendly Finally Gadget
Vitalik Buterinand Virgil Griffith. 2019. Casper the Friendly Finally Gadget
As long asa majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. Bitcoin Whitepaper
when we say “2/3 of validators”, we are referring to the deposit-weighted fraction; that is, a set of validators whose sum deposit size equals to
Casper the Friendly Finally Gadget
… to the permissionless setting as in the original Algorand protocol, where the Adversary can corrupt users adaptively and instantaneously, but cannot control more than 1/3 of the
ALGORAND AGREEMENT
In order for more than 1/3 of dishonest
economic incentive to be more than one- third dishonest participants. But can we be sure?
The figure shows the staking limitation from liquidity.
Liquid Supply: 31.5B Max Supply: 45B
Somehow, Benefit > Loss
Attacker
“I think I can hedge the risk”
Cryptocurrency exchanges provide short selling and financial derivatives including margin trading to bet investors (or speculators) money.
We independently studied shorting attack in PoS cryptocurrencies. On the other hand, there are researches of shorting attack to financial institutes
The stock price is not everything but partially shows the value of companies. Thus, aggressive shorting can make financial institutes looked like they do not have enough money to continue their business.
Creditors
No more than 33% stake No more than 51% resource We take a different assumption. We takes a majority possession limitation rule, not no more 1/3 of staking.
Definition 1 (β-depreciation) In a PoS cryptocurrency, when a player violates a rule, the market value of the cryptocurrency by β % depreciated. Definition 2 (γ-slashing) In a PoS cryptocurrency, when a player violates a rule, γ% of his stake is slashed.
Assuming β-depreciation, and γ-slashing. The cryptocurrency’s total supply → 1 The average staking ratio → s Attacker’s amount of short selling → N Amount that the attacker needs to invest → at least s/3 The attacker’s seed money → N + s/3 After sabotage, The value of the attacker’s staking → (1- β)(1- γ)s/3 The result of the attacker’s short selling → (1+ β)xN Then the least seed money to reach the break-even point for the shorting attack is s/3(2+(1+ β)γ/β).
Slashing limits shorting attack strongly. But if the attacker can ruin the value of a PoS cryptocurrency, it will make a big profit to the attacker.
as functions in PoS cryptocurrency systems
discourage dishonest players
Suhyeon Lee
Ph.D student in Korea University