Here some readings why i personally think POS is a nightmare:
The Monopoly effect
Forgers on the PoS blockchain typically receive rewards proportional to their staked value. This means that already quite influential participants on the blockchain will become even more influential over time. Because each token has the same chance of being picked as the next validator, the odds to get chosen as the next validator rises with the amount of token one holds. Whereas PoW works to the benefit of those with the most hashing power, PoS designs the game in favor of those with the most tokens available for staking. Just like Bitcoin mining adheres to the principle of economies of scale, in PoS the profit margins of high stakers are significantly higher. Regardless of the amount of tokens staked, the wallets of participants have to be online. To be online, participants need resources including hardware, electricity, and an internet connection. In a way, there are fixed costs associated with forging blocks on a PoS consensus algorithm. Consequently, the forger who stake 1 ETH and the forger who stakes 3 ETH both have to pay the same amount of fixed cost to stake. This entails that the higher the stake of the forger the higher their profit margins. Additionally, the staking algorithm will reward those that are most active on the protocol. One might find this a desirable property of the blockchain, because it encourages participation, but a similarly unequal distribution of influence and wealth may result as in PoW. If participation is rewarded in token and more token creates disproportionate opportunity to influence the system, then unequal influence over the system may arise in PoS blockchains by default. Without a correction in the protocol a larger ETH stakeholder will grow their stake faster than a small ETH stakeholder. After some time the relative cost for some forgers to stay in the network will be too high and they will be forced off the network.
Proof of stake – General thoughts on the weakness
With PoW, the hash puzzle is generated by the network. The difficulty is set by consensus rules and the randomness is set by the data in the previous block. The miner needs to generate a random nonce to find a solution to the hash puzzle.
The only way to do a double spend is by withholding blocks and secretly mining a longer chain than the entire network. this requires 51% of the hashrate (or a bit less if you’re lucky).
With PoS, there is no hash puzzle. This means that the validator whose turn it is to sign a block can easily create multiple blocks (and thus forks) to try to doublespend coins. Also there is no objective way to determine which chain is “the real chain”. With PoW this is determined by the chain with the most accumulative PoW, but this option (obviously) isn’t available with PoS.
There is also no real randomness. So it’s deterministic based on data in the blockchain which user/address will be allowed to sign the next block based on blockchain data which means that a signer can know in advance which user/address will be allowed to sign the next block based on the block data he is signing.
PoS reverts back to an unsafe version of PoW
If a signer knows which address will be picked as the next validator, it is (at least theoretically) possible for the current validator to manipulate the data in the block he’s currently signing in such a way that he’ll be the next signer.
Some examples on how block data can be manipulated:
transaction malleability
sending transactions to oneself
dropping transactions from the block
changing the order of the transactions within the block
This leads to a very dangerous attack: when a validator is picked by the network, he can then calculate (Proof of Work!) a lot of possible blocks and try to find a new block that will enable him to be the new validator. He can even try to find a series of blocks that will make him the validator for (for example) the next 10 blocks. Meanwhile he can publish another block for which he won’t be the next validator. By doing this, he has the abiity to double spend. Once he managed to pull of the double spend, he releases his other chain for which he’s the only validator. This chain will then become the longest chain and the attacker doubled spent successfully.
Note that if the validator didn’t manage to “attack” the network, he can try again when it’s again his turn to sign a block. One does not need 51% of the coins to be able to attack. This assumption made by proponents of PoS is -imho- false.
Also the cost of attacking is significantly lower compared to PoW. While for a 51% on PoW you need to spend a lot of money on electricity and you need to continuously spend that money, an attack on PoS can be done with a minimal amount of energy.
Reverting a transaction retroactively is nearly impossible with a PoW system, because you’ll need to have a lot of hashing power to “go back in time”. If you want to revert a transaction that has 1 confirmation, you need to mine 2 blocks while the whole network is searching for 1 block.
h^2 = (1-h) => h = 61.8%
You need 61.8% of the total hashrate to change a transaction with 1 confirmation, on average. Note that if a transaction has more confirmations, you need a larger share of the total hashrate of the network.
In the case of PoS, you can easily try to revert every transaction from a block height in the chain where you were a validator and you don’t need spend substantially more to revert a transaction that has more confirmations.
—
PoS attacks can be “solved” by centralization
This attack can be “solved” by having a limited number of “trusted” witnesses that keep track of which blocks they received first. If they then detect an alternative version of a block, it indicates a attempt to attack the chain. Then these witnesses can flag the attacker and he may be punished by loosing a part of his stake.
The problem with this is that this group of witnesses/people/nodes/validators/… need to be trusted. It’s not decentralized. Once the witnesses are in power, they can collude to attack the chain.
This witness system also raises a lot of questions surrounding reaching consensus: what is a few witnesses disagree with the others? Who is right? The majority? It’s not as easy as it looks because an attacker can try to submit his block with the double spend to a majority of the witness nodes and the ‘fair’ block to a minority of the nodes. If he succeeds, the attacker “legitimately” double spend!
It is pretty obvious a currency doesn’t want to have anonymous witnesses. If they are anonymous, they have a very big incentive to attack the chain themselves and perform double spends. After all, there is no objective way to determine who “is telling the truth” when a double spend happens. So there will usually exist a process to appoint these witnesses. This will in practice often look like elections.
In Bitshares it’s quite literally that. they use “Delegated proof of stake” (DPOS) in which people need to be trusted community members to be able to raise enough stake votes to become a witness. In DASH the requirement to be a witness (aka masternode) is currently owning 1000 DASH, but this will change once the “evolution savings account” goes live which will be a variant of DPOS. The Casper system proposed by Ethereum will likely also be a variant of DPOS with a limited number of witnesses. So for currencies who have some kind of witness election, these public people who act as witnesses can be forced by governments to censor or even revert certain transactions.
—
Proof of stake – the choice between a constant forking blockchain or centralized witnesses
To conclude, the a naive implementation of PoS will lead to a blockchain that is able to fork and do reorgs constantly, which is completely unworkable. Why didn’t we see this yet? My guess is because the on chain value never was high enough to be worthy of an attack.
The “solution” by centralization depends not on decentralized hash puzzles but on trusting individuals to not cheat. This is certainly not permisionless. These solutions aren’t decentralized and the government can thus easily try to force witnesses to censor certain transactions.
This leads me to the conclusion that PoS currencies can’t guarantee censorship free transactions, which is -imho- the only value behind a cryptocurrency. If we accept censorship, we can just start using Paypal. No need for an inefficient blockchain at all.
Some authors argue that proof of stake is not an ideal option for a distributed consensus protocol. One issue that can arise is the “nothing-at-stake” problem, wherein block generators have nothing to lose by voting for multiple blockchain histories, thereby preventing consensus from being achieved. Because unlike in proof-of-work systems, there is little cost to working on several chains, anyone can abuse this vulnerability by attempting to double spend “for free”
Statistical simulations have shown that simultaneous forging on several chains is possible, even profitable. But proof of stake advocates believe that most described attack scenarios are impossible or so unpredictable as to be only theoretical.
Just some arguments. There are more if you look more far for example. While for many Bitmain looks like the evil #1, i could think about 100 more dangerous evils that could take advantage of POS.
Just as a fictive scenario. Let’s say we have a project on POS that somehow can compete Paypal, Mastercard or Visa. As said, just as an fictive example. All one of these companies had to do is buying in a high stake and take it “more or less” hostile over or even sabotage it. Just something that comes in my mind immediatly.
As said, it’s only my personal opinion that POS is the worst compared to POW in whatever form.