proof-of-stake at stake: predatory, destructive attack on
TRANSCRIPT
Proof-of-Stake at Stake:Predatory, Destructive Attack
on PoS Cryptocurrencies
Suhyeon Lee (Speaker) and Seungjoo Kim*
3rd CryBlock @ MobiCom 202025th September 2020, Virtual
School of Cybersecurity, Korea University{orion-alpha, skim71}@korea.ac.kr* Corresponding author
Index
•Proof-of-Stake
•PoS Philosophy
•Shorting Attack
•Conclusions
Key Questions:
1. What are assumptions of PoS?
2.Isn’t it profitable to be a dishonest player in PoS?
Proof-of-Stake (PoS)
Proof-of-Stake (PoS)
Proof-of-Stake (PoS) is getting a vote power from the behavior “staking” which makes some amount of coins bonded for a while.
Proof-of-Stake (PoS)
Proof-of-Work (PoW) mining of Bitcoin exceeded the electricity usage of Switzerland.On the other thand, staking spends little energy so eco-friendly and intuitive.
Fig. Electricity usage of Bitcoin mining
Proof-of-Stake (PoS)
For security, PoS has two main
penalties to attackers.
1.Depreciation
2.Slashing
We will discuss again later.
Proof-of-Stake Security Issues
•Nothing-at-Stake
•Long Range Attack
•Grinding Attack
•(Shorting Attack) ← today’s topic
Diversity of PoS
Nguyen et al., "Proof-of-Stake Consensus Mechanisms for Future Blockchain Networks: Fundamentals, Applications and opportunities"
PoS Philosophy
PoS Philosophy
•Peercoin is the pioneer of proof of stake
[Advantage of staking]
“A minter’s chances of being selected as the next block producer rely specifically on the number of coins held and time in the form of coin age and some amount of luck.”
peercoin.net
PoS Philosophy
•Peercoin is the pioneer of proof of stake
[Condition of staking]
“Minters are first required to hold coins in their wallet for a total of 30 days before they can become eligible to compete in the process of minting new blocks.”
peercoin.net
PoS Philosophy
•Peercoin is the pioneer of proof of stake
[majority attack]
“A malicious actor would need to purchase enough coins ... the price per peercoin to skyrocket. .. to perform a successful attack
would likely bankrupt the attacker in the process.”peercoin.net
PoS Philosophy
•Ethereum suggested Casper and Slashing
[value-at-loss]
“The one-sentence philosophy of proof of stake is thus not security comes from burning energy, but rather security comes from putting up economic value-at-loss”
Vitalik Buterin. 2016. A Proof of Stake Design Philosophy. https://medium.com/@VitalikButerin/a-proof-of-stake-design-philosophy-506585978d51.
PoS Philosophy
•Ethereum suggested Casper and Slashing
[slashing]
“the evidence of the violation can be included into the blockchain as a transaction, at which point the validator’s entire deposit is taken away with a small “finder’s fee” given to the submitter of the evidence transaction.”
Vitalik Buterin and Virgil Griffith. 2019. Casper the Friendly Finally Gadget
PoS Philosophy
•Ethereum suggested Casper and Slashing
Vitalik Buterin and Virgil Griffith. 2019. Casper the Friendly Finally Gadget
PoS Philosophy
Value-at-loss
Assumptions in PoS Mechanisms
As long as a majority of CPU power is controlled
by nodes that are not cooperating to attack the network,
they’ll generate the longest chain and outpace
attackers.
Bitcoin Whitepaper
Assumptions in PoS Mechanisms
when we say “2/3 of validators”, we are referring to the deposit-weighted fraction; that is, a set of validators whose sum deposit size equals to
2/3 of the total deposit size of the entire set
of validators.
Casper the Friendly Finally Gadget
Assumptions in PoS Mechanisms
… to the permissionless setting as in the original Algorand protocol, where the Adversary can corrupt users adaptively and instantaneously,
but cannot control more than 1/3 of the total stake in the system.
ALGORAND AGREEMENT
Assumptions in PoS Mechanisms
In order for more than 1/3 of dishonest participants not to exist, there must be no economic incentive to be more than one-third dishonest participants.
But can we be sure?
Ethereum PoS FAQ
The figure shows the staking limitation from liquidity.
Real World Stake
• Cosmos Atom (https://www.mintscan.io/validators) – 70%
• Cardano (https://adapools.org/) – 40.9%
Liquid Supply: 31.5BMax Supply: 45B
Real World Stake
• Algorand (https://www.stakingrewards.com/earn/algorand/metrics) – 21%
• EOS (https://eosflare.io/ - 56.48%)
PoS Philosophy
•Wait…. Value-at-Loss ?
Somehow, Benefit > Loss
Attacker
“I think I can hedge the risk”
Shorting Attack
Short Selling
Short Selling
Cryptocurrency exchanges provide short selling and financial derivatives including margin trading to bet investors (or speculators) money.
Shorting Attack in Economics
We independently studied shorting attack in PoScryptocurrencies.
On the other hand, there are researches of shorting attack to financial institutes
Shorting Attack in Economics
The stock price is not everything but partially shows the value of companies.
Thus, aggressive shorting can make financial institutes looked like they do not have enough money to continue their business.
Fig. Interaction between Speculators and Creditors
Assumption in Shorting Attack
No more than 33% stake
No more than 51% resource
We take a different assumption. We takes a majority possession limitation rule, not no more 1/3 of staking.
Assumption in Shorting Attack
Definition 1 (β-depreciation)
In a PoS cryptocurrency, when a player violates a rule, the market
value of the cryptocurrency by β % depreciated.
Definition 2 (γ-slashing)
In a PoS cryptocurrency, when a player violates a rule, γ% of his stake
is slashed.
Shorting Attack: Victim PoS Model
Shorting Attack: Procedure
Shorting Attack: Numerical Analysis
Assuming β-depreciation, and γ-slashing.The cryptocurrency’s total supply → 1The average staking ratio → sAttacker’s amount of short selling →NAmount that the attacker needs to invest → at least s/3The attacker’s seed money →N + s/3
After sabotage,The value of the attacker’s staking → (1- β)(1- γ)s/3The result of the attacker’s short selling → (1+ β)xN
Then the least seed money to reach the break-even point for the shorting attack is s/3(2+(1+ β)γ/β).
Shorting Attack: Numerical Analysis
Slashing limits shorting attack strongly. But if the attacker can ruin the value of a PoS cryptocurrency, it will make a big profit to the attacker.
Conclusions
Conclusions:
1. It can be profitable to be a dishonest player in PoS
2. PoS designers should consider markets as well as functions in PoS cryptocurrency systems
3. Proper incentives in PoS should be studied to discourage dishonest players
