We next discuss a number of practical attacks and indicate how they are reflected by our modeling and mitigated.
Double spending attacks In a double spending attack, the adversary wishes to revert a trans-action that is confirmed by the network. The objective of the attack is to issue a transtrans-action, e.g., a payment from an adversarial account holder to a victim recipient, have the transaction confirmed and then revert the transaction by, e.g., including in the ledger a second conflicting transaction.
Such an attack is not feasible under the conditions of Theorem 5.5. Indeed, persistence ensures that once the transaction is confirmed by an honest player, all other honest players from that point on will never disagree regarding this transaction. Thus it will be impossible to bring the system to a state where the confirmed transaction is invalidated (assuming all preconditions of the theorem hold). See the next section for an experimental discussion about double spending.
Grinding attacks In stake grinding attacks, the adversary tries to influence the slot leader selection process to improve its chances of being selected to generate blocks (which can be used to perform other attacks such as double spending). Basically, when generating a block that is taken as input by the slot leader selection process, the adversary first tests several possible block headers and block contents in order to find the one that gives it the best chance of being selected as a slot leader again in the future. While this attack affects PoS based cryptocurrencies that collect randomness for the slot leader selection process from raw data in the blockchain itself (i.e. from block headers and contents), our protocol uses a coin tossing protocol that is proven to generate unbiased uniform randomness as discussed in Section 5.2. We show that an adversary cannot influence the randomness generated in Figure 12, which is guaranteed to be uniformly random, thus guaranteeing that slot leaders are selected with probability proportional to their stake.
Transaction denial (censorship) attacks In a transaction denial attack, the adversary wishes to prevent a certain transaction from becoming confirmed. For instance, the adversary may want to target a specific account and prevent the account holder from issuing an outgoing transaction.
Such an attack is not feasible under the conditions of Theorem 5.5. Indeed, liveness ensures that, provided the transaction is attempted to be inserted for a sufficient number of slots by the network, it will be eventually confirmed.
Desynchronization attacks In a desynchronization attack, a shareholder behaves honestly but is nevertheless incapable of synchronizing correctly with the rest of the network. This leads to ill-timed issuing of blocks and being offline during periods when the shareholder is supposed to participate. Such an attack can be mounted by preventing the party’s access to a time server or any other mechanism that allows synchronization between parties. Moreover, a desynchronization may also occur due to exceedingly long delays in message delivery. Our model allows parties to become desynchronized by incorporating them into the adversary. No guarantees of liveness and
persistence are provided for desynchronized parties and thus we can get security as long as parties with less than 50% of stake get desynchronized. If more than 50% parties get desynchronized our protocol can fail. More general models like partial synchrony [23, 39] are interesting to consider in the PoS design setting. See the follow up work, Ouroboros Praos, for more information on this topic [22].
Eclipse attacks In an eclipse attack, message delivery to a shareholder is violated due to a subversion in the peer-to-peer message delivery mechanism. As in the case of desynchronization attacks, our model allows parties to be eclipse attacked by incorporating them into the adversary.
No guarantees of liveness or persistence are provided for such parties.
51% attacks A 51% attack occurs whenever the adversary controls more than the majority of the stake in the system. It is easy to see that any sequence of slots in such a case is with very high probability forkable and thus once the system finds itself in such setting the honest stakeholders may be placed in different forks for long periods of time. Both persistence and liveness can be violated.
Bribery Attacks In bribery attacks [13], an adversary deliberately pays miners (through cryp-tocurrency or fiat money) to work on specific blocks and forks, aiming at generating an arbitrary fork that benefits the adversary (e.g. by supporting a double spending attack). Miners of PoW based cryptocurrencies do not have to own any stake in order to mine blocks, which makes this attack strategy feasible. In this setting, if the adversary offers a bribe higher than the reward for correctly generating a block, any rational miner has a clear incentive to accept the bribe and participate in the attack since it increases the miner’s financial outcome. However, in our PoS based protocol, malicious slot leaders who agree to deliberately attack the system not only risk to forego any potential profit they would earn from behaving honestly but may also risk to lose equity.
Notice that slot leaders must have money invested in the system in order to be able to generate blocks and if an attack against the system is observed this might bring currency value down. Even if the bribe is higher than the reward for correct behavior, the loss from currency devaluation can easily offset any additional profits made by participating in this attack. Hence, bribery attacks may be be less effective against a PoS based consensus protocol than a PoW based one. Currently our rationality model does not formally encompass this attack strategy and investigating its efficacy against PoS based consensus protocols is left as a future work.
Long-range attacks An attacker who wishes to double spend at a later point in time can mount a long-range attack [14] by computing a longer valid chain that starts right after the genesis block where it is the single stakeholder actively participating in the protocol. Even if this attacker owns a small fraction of the total stake, it can locally compute this chain generating only the blocks for slots where it is elected the slot leader and keep generating blocks ahead of current time until its alternative chain has more blocks than the main chain. Now, the attacker can post a transaction to the main chain, wait for it to be confirmed (and for goods to be delivered in exchange for the transaction) and present the longer alternative chain to invalidate its previously confirmed transaction. This attack is ineffective against Ouroboros for two reasons: Protocol πDLS
will only output valid leader selection data allowing for the protocol to continue if a majority of the stakeholders participate (or have delegates participate on their behalf) and stakeholders will reject blocks generated for slots that are far ahead of time. Since the alternative chain is generated artificially with blocks and protocol messages generated solely by an attacker who controls a small
fraction of the stake, the leader selection data needed to start new epochs will be considered invalid by other nodes. Even if the attacker could find a strategy to generate an alternative chain with valid leader selection data, presenting this chain and its blocks generated at slots that are far ahead of time would not result in a successful attack since those blocks far ahead of time would be rejected by the honest stakeholders and the final alternative chain would be shorter than the main chain.
Nothing at stake attacks The “nothing at stake” problem refers in general to attacks against PoS blockchain systems that are facilitated by shareholders continuing simultaneously multiple blockchains exploiting the fact that little computational effort is needed to build a PoS blockchain.
Provided that stakeholders are frequently online, nothing at stake is taken care of by our analysis of forkable strings (even if the adversary brute-forces all possible strategies to fork the evolving blockchain in the near future, there is none that is viable), and our chain selection rule that instructs players to ignore very deep forks that deviate from the block they received the last time they were online. It is also worth noting that, contrary to PoW-based blockchains, in our protocol it is infeasible to have a fork generated in earnest by two shareholders. This is because slots are uniquely assigned and thus at any given moment there is a single uniquely identified shareholder that is elected to advance the blockchain. Players following the longest chain rule will adopt the newly minted block (unless the adversary presents at that moment an alternative blockchain using older blocks). It is remarked in [15] that the “tragedy of commons” might lead stakeholders in some PoS based schemes to adhere to attacks because they do not have the power to deter attacks by themselves and would incur financial losses even if they did not join the attack. This would lead rational stakeholders to accept small bribes in alternative currencies that might at least obtain some financial gain. However, in the incentive structure of Ouroboros, slot leaders and endorsers who could potentially join an attack would receive rewards in both the main and the adversarial chain, resulting in those stakeholders not achieving higher profits by joining the attack.
Past majority attacks As stake moves our assumption is that only the current majority of stakeholders is honest. This means that past account keys (which potentially do not hold any stake at present) may be compromised. This leads to a potential vulnerability for any PoS system since a set of malicious shareholders from the past can build an alternative blockchain exploiting such old accounts and the fact that it is effortless to build such a blockchain. In light of Theorem 5.5 such attack can only occur against shareholders who are not frequently online to observe the evolution of the system or in case the stake shifts are higher than what is anticipated by the preconditions of the theorem. This can be seen a special instance of the nothing at stake problem, where the attacker no longer owns any stake in the system and is thus free from any financial losses when conducting the attack.
Selfish-mining In this type of attack, an attacker withholds blocks and releases them strategi-cally attempting to drop honestly generated blocks from the main chain. In this way the attacker reduces chain growth and increases the relative ratio of adversarially generated blocks. In conven-tional reward schemes, as that of bitcoin, this has serious implications as it enables the attacker to obtain a higher rate of rewards compared to the rewards it would be receiving in case it was following the honest strategy. Using our reward mechanism however, selfish mining attacks are neutralized. The intuition behind this, is that input endorsers, who are the entities that receive rewards proportionally to their contributions, cannot be stifled because of block withholding: any input endorser can have its contribution accepted for a sufficiently long period of time after its endorsement took place, thus ensuring it will be incorporated into the blockchain (due to sufficient
chain quality and chain growth). Given that input endorsers’ contributions are (approximately) proportional to their stake this ensures that reward distribution cannot be affected substantially by block withholding.