Академический Документы
Профессиональный Документы
Культура Документы
Mitigation
Description: An attacker overtakes the main chain by producing a competing chain using past staking balances. Description: Also known as a precomputation attack. If there is no context based
For example, assume an attacker has a moderately large stake in the network then exchanges their stake for entropy included in the target calculation then the staker can calculate the future
another cryptocurrency (or for fiat). They no longer have a stake in the network at the most recent block but their target values that their stake will produce. With this information the staker now has
past stake is still viable from the perspective of some older blocks. This attacker may collude with other attackers no incentive to remain online before they expect to successfully stake a block. This
who've followed the same steps until they reach 51% of the supply at that point in time. Now they have the ability to reduces the quantity of active verifying nodes and thus reduces the security of the
quickly generate a fork by forging previous time stamps until the height of the fork is equal to the height of the main network. If the nodes were unable to determine when they would successfully stake
chain. This can be done in such a way that the trust scores of the two chains are very close. Without additional then they would have to remain online consistently.
safeguards, honest nodes would not be able to differentiate between the honest chain and the attacker's chain, thus
potentially forcing a reorg. Another attack that is based on this same principle is precomputing the outcome of
different events and using the results of those computations to determine how to
Solution: A maximum reorganization depth completely mitigates long range attacks on online validating nodes. The increase the likelihood of staking consecutive blocks. The act of computing all the
issue still exists for inactive nodes who are resyncing with the network and new nodes who are syncing for the first possible outcomes is called Stake Grinding and essentially reduces proof of stake
time. A fixed checkpointing system is used to prevent syncing nodes from syncing with the attacker's chain. This is consensus to bitcoin's original proof of work consensus that proof of stake was
done by either directly encoding checkpoints into the source code (long interval checkpointing) or broadcasting meant to replace.
checkpoints from a trusted source (short interval checkpointing). Athough these solutions may introduce other
issues, they do drastically reduce the likelihood of a long range attack. Solution: The process of including chain based entropy into the target hash calculation
is known as stake modification. The more the stake modifier can obfuscate future target
hashes, the more difficult it becomes to successfully launch a stake grinding attack.
Nothing at Stake Different stake modification schemes provide different degrees of obfuscation so it's
crucial to use the best one available. The most advanced stake modification schemes
include deterministic sampling of entropy from previous blocks within the modifier
Description: A distinction must be made between honest, rationally self interested, and malicious nodes. Honest interval and change significantly from block to block. This makes precomputation
nodes will always align their actions with what is best for the network. Rationally self interested nodes don't aim to attacks unfeasible for any realistic amount of computing power.
compromise the network but their self interest may lead them in that direction if the incentive structure facilitates it.
A malicious node's only goal is to compromise the network.
Now imagine a chain with multiple competing forks. No node can be sure which fork will ultimately win, so in order
to improve their expected value the rationally self interested nodes stake on every fork. This is an issue for two core
reasons: 1. it can cause uncontrollable forking because the network can't reach a consensus on what the main
chain is and 2. the stake threshold an attacker needs to launch a 51% attack is reduced because the rationally self
interested nodes will effectively assist in the attack by staking on the attacker's chain.
Solution: The double-block protection mechanism allows for the cancellation of the top block for double stakes. This
partially mitigates the risk of the nothing at stake attack being successful. Additionally, the rationally self interested
nodes may have an incentive to stake on as many chains as possible to increase returns but they also have an
incentive to help the network reach consensus in a timely manner. Otherwise, they run the risk of losing their entire
deposit due to the dysfunctional network. When considering these positive factors, the likelihood of the nothing at stake
problem occuring in reality is very low from both an economic and technical standpoint.
Crown Proof of Stake Vulnerabilities and
Mitigations