Theoretical attack against Proof of Stake
Bottom line: yet another theoretical attack that does not work in practice.
Nxt, the first pure proof of stake coin, implements a simple algorithm to determine the next block generator (called forger). The algorithm is explained here. In a nutshell, the higher your NXT balance, the higher the chance that you’ll forge the next block proportionally. Actual block generation is randomized by the protocol. Simple, fast, efficient, no energy waste, and it can even run on a low power Linux device or cheap VPS node.
Over the years this simple algorithm has been criticized heavily as inherently insecure mainly due to the “Nothing at Stake” attack explained by Competitors, Researchers, would be experts, and their cheerleaders.
On the other hand, empirical evidence shows absolutely no “Nothing at Stake” attacks in practice against Nxt, and Ardor/Ignis/Bits/AEUR and their clones and copycats. Zero, Zilch, Zip, Nada, Nothing.
Consider that the Nxt blockchain just celebrated its 5th straight year in production and the Ardor mainnet is about to celebrate its first birthday in January. Back in December 2017, both coins were valued at more than 1 Billion USD. During these 5 years, Nxt withstood numerous attacks executed using many different attack vectors, but strangely enough, a “Nothing at Stake” attack was never observed in practice.
Perhaps the Nothing at Stake attack is not such a serious threat?
I decided to explore.
The nothing at stake attack is nicely explained by an Ethereum document: “In the event of a fork, whether the fork is accidental or a malicious attempt to rewrite history and reverse a transaction, the optimal strategy for any miner is to mine on every chain, so that the miner gets their reward no matter which fork wins. Thus, assuming a large number of economically interested miners, an attacker may be able to send a transaction in exchange for some digital good (usually another cryptocurrency), receive the good, then start a fork of the blockchain from one block behind the transaction and send the money to themselves instead, and even with 1% of the total stake the attacker’s fork would win because everyone else is mining on both.”
You heard it right, all you need in order to double spend NXT coins is to own 1% of the tokens. Surely there are quite a few greed driven individuals out there who would happily use this opportunity to make a few bucks? Where are they?
In this article, I’ll explain why I think this problem was blown out of proportion by proof of work advocates, academic researchers, and teams that want to sell you their seemingly wise “solutions”.
Let’s put it upfront, if some entity or multiple entities which collude together, posses more than 50% of the stake in a proof of stake network, they can happily double spend. This is similar to the infamous 51% attack against POW coins which is regularly observed in practice.
So let’s look at Bob, our “would be attacker”, who holds 1% of the Nxt tokens. Let’s see how he can try to double spend. I’ll completely ignore economic arguments like: why would Bob try to attack and discredit a network in which he holds 1%? Let’s simply assume that Bob wants to destroy Nxt to make a point about its lack of security.
Bob, being the proud owner of 1% of the NXT tokens in circulation, will generate on average 1% of the blocks. Natural 1 block forks occur in the Nxt network around once per hour so Bob simply waits until he sees a fork or he can also use his turn to forge a block to create such fork by generating two different blocks and sending each one to another central node.
Now, he executes his sinister plan: he sends all his funds to Bittrex on fork A and all his funds to himself on fork B. He now starts to forge on both forks. Alas, his chance of generating the next block is only 1%. His chance to generate any of the next 30 blocks is only around 26% (1–(0.99)³⁰).
Around 60 seconds later, a new block is generated by someone (99% it is not by Bob) and eventually Bittrex receives it. There is a 50% chance that Bittrex now sees fork A in which Bob sent his funds to Bittrex. However the folks at Bittrex are not naive, they wait for 30 confirmations before accepting the deposit.
According to the myth, all block generators should now forge on both fork A and fork B until Bob can see his deposit accepted by Bittrex on fork A and then he has a chance of 1% to double spend on fork B and get fork B to become the accepted fork.
I will now try to convince you that this attack does not work against Nxt’s implementation of Proof of Stake
What happens in practice is that all block generators use the Nxt official software, the Nxt software chooses the best fork based on the stake invested in it, and switches to it immediately, discarding the other fork. Therefore within a block or two, the A/B fork will be resolved. One of Bob’s conflicting transactions will be accepted and the other rejected. No double spend is possible.
The software needed by Bob to build on all forks to execute his attack, simply does not exist. It is also quite difficult to develop this software. After all, the Nxt software on which it should be based is designed to handle a single fork and forge on it, not to track multiple forks and forge on all of them. Adding this functionality will require some considerable effort. You can forget about getting help from the core developers.
But even if Bob hires a dream team of blockchain developers and develops this Nxt software variant that builds on all forks, if he is using it alone, he can’t cause much damage since he can only generate 1% of the blocks. Even if he is lucky to generate the next block, he will never generate 30 blocks in a row to trick Bittrex.
According to the myth, Bob will need to convince all block generators to collude with him and work on his unofficial version of the software. But we already agreed that if more than 50% of the stake owners collude they can double spend - so what’s the big deal?
In practice, I dare you to find a single block generator with significant stake who will use this malicious fork designed to cheat and destroy the reputation of his beloved blockchain. If Bob is willing to double spend, perhaps he is also willing to attempt to steal private keys? Users will simply laugh at Bob.
And what if the value of Nxt or Ardor spikes to $100B? Surely Bob will have sufficient resources to develop the modified Nxt software? But surely nobody will use this software and risk destroying such a valuable coin.
Another myth busted.
The existence of an attack vector does not mean that this attack vector is practical. For example, to reverse a SHA256 hash all one needs to do is attempt on average 2²⁵⁵ hash operations. Theoretically doable - but practically impossible.
In this article I attempted to convince you that the “Nothing at Stake” attack is mostly a theoretical toy used to discredit proof of stake coins. It is an attack that is nearly impossible to execute. Therefore, it is surely not a major concern when deciding between blockchain consensus protocols.