but how confident can the community be that we can ever foresee every attack vector?
0%
Network security comes at a cost. Under PoW, that cost is explicit. Under DPoS, that cost is opaque, but real nonetheless - the cost of voting. I've made this point previously, that it is not a verifiable claim to say DPoS is lower expense than PoW for this reason. Either DPoS also has a high cost, or compromises security.
Warning! Too much text below! Tl;dr: I try to analyze the operating cost difference between DPoS and PoW given the same amount of security for both against two particular classes of attacks, which I call a trust attack and a brute-force attack. Trust attacks require convincing others (miners in PoW, stakeholders in DPoS) to delegate their power to the attacker. The conclusion here is the obvious one we have discussed plenty of times in this community: DPoS is both more decentralized and has much lower cost for the same amount of security against this particular attack compared to PoW. A brute-force attack requires outright purchasing the fundamental consensus power (mining power in PoW, or stake in DPoS) and using it to attack the network in a way that the attacker hopes will end up being net profitable. For this attack, I try to compare PoW to DPoS with the security bond modifications that I proposed. This analysis is much trickier and requires a lot of assumptions, but my conclusion is that even with conservative estimates DPoS can be much cheaper to operate than PoW for the same amount of security against this brute-force attack. Finally, I conclude by noting that PoW's objectivity does provide some security advantages over DPoS under some attack scenarios, but my opinion is that this advantage is negligible compared to the much higher operating cost required for PoW.
PoW has better objective consensus compared to far more subjective consensus of PoS (DPoS included) systems. That is really useful when you want to be confident that you are likely on the correct chain even with a compromised internet connection as long as you have an estimate for the accumulated work done on the blockchain thus far. It is also useful in allowing everyone to come to a consensus on one particular chain (whether it is the chain they actually desire to accept or not) in the rare case of a successful long-term reorganization attack. On the other hand in PoS systems, under such a scenario it would require subjective consensus (relying on trustworthy nodes, businesses, other entities) to resolve which is or should be the "real" chain. Hopefully the economic incentives are designed to make such an attack very unprofitable and therefore very unlikely.
If we are willing to accept those disadvantages, we get a lot of benefits from DPoS as a result of this trade-off. One benefit is faster and more deterministic block generation. But the main benefit is a much lower network operating cost given the same cost to an attacker that is trying to attack the system through methods that don't require compromising the victim's internet connection (attacks where the attacker both compromises the victim's internet connection and has control over more than 50% of witnesses are more profitable in DPoS for a given network operating cost than in the similar case of a PoW system where the attacker has control of more than 50% of mining power).
So where does the cost reduction come from? To answer this, I will examine two different attacks. I'm going to call the first a trust attack and the second a brute-force attack.
The trust attack requires convincing other people with consensus power (hashing power in PoW or stake in DPoS) to delegate their consensus power to the attacker rather than to anyone else. In the case of PoW there is an economic incentive to delegate hashing power to an entity (mining pools) other than yourself as long as you trust them to honor the deal and pay you your fair share of block rewards. In DPoS, only the entities that are delegated the stake voting power, the witnesses, are allowed to produce blocks and only if they have sufficient approval. So again there will naturally need to be delegation of the consensus power. In both cases, the entity that you have delegated the consensus power to can break their vow and use the privileges granted from the delegated consensus power to attack the network in some way. However, they are pretty much guaranteed to get caught if they do so and their reputation will be forever destroyed. This means they cannot convince people to ever trust them with consensus power again, which means they cannot be a block producer again. Since they were rewarded for being a block producer, there is an opportunity cost in the form of lost future income that motivates them to behave. However, if the profit potential is worth more than this opportunity cost, it would be rational for them to attack the network assuming they are not concerned about other things like their reputation in real life (assuming their identity has already been revealed) or the value of their investments (which they want to hold) in the system they are attacking. What we have seen in Bitcoin is that the vast majority of hashing power is concentrated in a handful of mining pools. BitShares with its 101 witnesses is far more decentralized than Bitcoin in this manner. Collusion among mining pools to get 51% hashing power is thus easier than collusion among 51% of witnesses.
If we compare the operating costs between PoW and DPoS, we will see that they are not too different if you ignore the significant costs of mining. Some amount of the block rewards go to the mining pool operators (the profit after their operating expenses makes up their opportunity cost) and the rest get distributed to the actual miners. If we wanted a similar opportunity cost for witnesses, we would have to pay the active witnesses in aggregate the same amount as the fraction of block rewards that go to the mining pool operators (which is a tiny fraction of the block rewards since the vast majority goes to the miners). However, DPoS does not have to pay for miners, so its overall operating costs are dramatically lower.
What about another form of attack? I call a brute-force attack an attack that requires the attacker to purchase or otherwise obtain control over the actual consensus power directly. In the case of PoW, this means buying enough ASICs and paying for the electricity costs to operate them. In DPOS, this means buying the core stake with which they can vote for their own witnesses. Keep in mind that the attacker does not need to purchase these things legally; they can get control over them illegally too. In the case of PoW, this might mean they hack into enough miners' computers and hijack the block headers that their ASICs hash. In the case of DPoS, this might mean they hack into enough stakeholders' computers and steal the private keys controlling their stake. I am assuming that this kind of wide scale hacking attack is hard to do. Even if feasible, it is important to notice that the number of individuals to attack to get 51% of hashing power in PoW is very likely less than the number of individuals to attack to get a sufficient amount of stake to vote in 51% of witnesses (although the former group
might have better operational security than the latter group, then again that is unlikely to make a difference).
One other thing to realize about a brute-force attack is that a lot of value spent acquiring this consensus power can be recovered after the attack. In PoW any electricity consumed is forever lost and cannot be resold, but the ASICs can be resold (granted for a lower price than they were initially acquired). However, if the ASICs are only needed for a short amount of time for the duration of the attack, the resale value of the ASICs may not be too bad. Similarly, an attacker can buy stake to vote in their evil witnesses to do the attack, and then immediately afterward sell the stake to recover costs as much as possible. It is only the net difference that the attacker needs to pay (in addition to electricity costs for PoW brute-force attacks) to carry out this attack. If the profit from the attack is greater than this difference, then it is rational for the attacker to carry out the attack. However, there are a lot of economic uncertainties here. After the attack is successfully carried out, the price of the stake will very likely drop significantly. But it is not clear whether this will be temporary or how significant the drop will be (I doubt a foreseen but theoretically rare attack like this would kill the coin). A drop immediately after actually helps increase net costs for PoS brute-force attacks, which is actually a good thing. However, a drop in the price of a PoW coin will also likely correlate with a drop in the value of ASICs that mine that coin. Thus the net cost to the attacker also increases for PoW brute-force attacks. Also, ASICs are a depreciating asset whereas the core stake can actually appreciate in value (sometimes a lot!), which is a win for PoW security as far as brute-force attacking costs go.
DPoS can improve its security by requiring the witnesses to deposit funds which can be destroyed by the network if they are caught cheating. We define the probability of successfully burning the deposit of an attacker's witnesses as p (it is safe to assume p is close to 1, e.g. p = 0.95). The value of the required deposited stake among all witnesses is C. In addition to the funds to cover node operating expenses, the blockchain pays witnesses a fraction f of the locked funds per year to compensate for the opportunity cost of locking the funds (f = 0.05 seems reasonable, which corresponds to a 5% p.a. return). The expected value of the cost to the attacker in control of 51% of witnesses (which is the minimum needed to take control of the DPoS network and carry out the attack) is approximately p*C/2 plus whatever extra cost they pay due to drop in value of their voting stake as a result of the attack (let's be conservative and assume this is zero).
In a PoW brute-force attack, the attacker needs to purchase enough ASICs to generate slightly more hashing power than the current aggregate hashing power of the entire network. After the attack, the attacker can then sell the ASICs to whoever wants it (rational greedy miners are likely not even going to care if they are purchasing useful ASICs from a known attacker, but most likely they won't even know who the attacker was). There is going to be some net cost C
a from this buy-sell cycle. The attacker will also need to pay for electricity to run the ASICs for the duration of the attack; call this cost C
e. If the attacker only wants to do this attack once, they will only need to run the ASICs for around 8 blocks or so (enough to do chain reorganization against victims who waited the full 6 blocks, or 1 hour, as they are told to do). Let's be generous and say they pay for electricity to run the ASICs for 53 blocks which would approximately take 8.8 hours, or 1/1000 of a year. Therefore, C
e can be estimated as 1/1000th of the cost of electricity consumed to run the Bitcoin network for a year. I am going to try to come up with some back of the envelope estimates for these costs. From
this table I see that the most efficient (highest Mhash/J) ASIC is the AntMiner S5. It has a cost of 3,121 MHash/s/$ and an efficiency of 1,957 MHash/J. Bitcoin's current
hash rate is approximately 400 billion MHash/s. This means $128 million dollars worth of these ASICs would be necessary which would consume 205 MW of power. Assuming an electricity cost of $0.08/kWh, it would take $144 million to run these ASIC for 1 year, but only $144,000 to run it for the desired 8.8 hours. Thus, C
e = $144,000. By the way, new BTC is currently being produced at a rate of $40,000/hour, or $350 million per year (according to current market price). So if we subtract the $144 million electricity cost to run those ASICs, that leaves $206 million per year of revenue to cover the capital cost of the ASICs and of course any profit. I am not sure what kind of ASIC the typical miner owns and how long they last before becoming obsolete, but these numbers seem reasonable as a sanity check on the math. To calculate C
a I will make a completely wild assumption that the attacker can sell their ASICs after the attack for less than a 10% discount. So let's say C
a = $12 million. Even if the the discount was 2%, it is clear that the loss in selling the ASIC outweighs the electricity cost.
The cost of a DPoS brute-force attack will be higher (and thus DPoS more secure in this particular attack) than the PoW brute-force attack if p*C/2 + C
s > C
a + C
e, where C
s is the net cost of buying enough stake to vote in the bad witnesses and then selling the stake (if desired) after the attack (I will assume this is its minimum value of zero to be conservative). The PoW network however has to pay a large expense to economically incentive the miners to actually mine. I will use the current Bitcoin expense as an example. As I mentioned before the Bitcoin blockchain is paying an expense C
w of $350 million per year currently to cover the electricity costs of approximately $144 million per year (or likely higher since I used a low electricity rate) and to cover the capital costs of an ASIC base worth (very) roughly $128 million. If I assume all of these PoW costs scale linearly with the blockchain expense (because difficulty will adjust), then a $350 million per year blockchain expense corresponds to an attacker expense of C
a + C
e, which is roughly somewhere between $150,000 (for a nearly 0% discount) to $12,144,000 (for 100% discount, i.e. cannot resell ASICs), or a ratio r = C
w/(C
a + C
e) that is very roughly between 2333 to 29, respectively. The yearly cost to DPoS to pay for the opportunity cost of the locked stake is C
d = f*C, which must be greater than 2*f*(C
a + C
e)/p = 2*f*C
w/(p*r) in order for DPoS to be more secure than PoW for this particular attack. So with the conservative case of r = 29 (100% discount) and the other values, the minimum yearly cost for DPoS (excluding basic node operating costs) is C
d = 2*(0.05)*($350 million)/(0.95 * 29) = $1,270,000. More importantly, the ratio of the PoW cost (excluding basic node operating expenses, but I will still use the above C
w value since Bitcoin mining node operating expenses are currently negligible to hashing expenses) to DPoS cost (again excluding basic node operating expenses which should be similar to that of a PoW system) for the same amount of security against this particular attack is approximately C
w/C
d = p*r/(2*f) = (0.95 * 29)/(2*0.05) = 275.5 and potentially orders of magnitude greater (if the attacker can get a reasonable discount on ASIC resales).
The other thing to consider when measuring security is not just the profitability of the attack, but how much initial capital is necessary to actually carry out the attack. To carry out the PoW brute-force attack, the attacker would need approximately $130 million assuming we use numbers currently applicable to the Bitcoin network. In DPoS, the attacker needs enough stake to vote the witnesses in and enough for the deposit (which may or may not vote). The amount needed for the deposit is C/2, which should be greater than C
w/(p*r) if DPoS is to have lower cost than PoW for the same security against this attack. To fairly compare the PoW numbers with DPoS, we should assume that the DPoS core stake has a similar market cap as BTC (currently $3.8 billion) and conservatively use the C
w/r value of $150,000 (thus C/2 should approximately be $158,000 which is small relative to $130 million so we can ignore it, and we could ignore it anyway if the security deposit was allowed to vote since it offsets some of the need to buy additional voting stake). Even assuming a very liquid market (and/or stake bought and resold very slowly without compromising the attack), with just 0.5% of the stake being necessary it will already cost the attacker more initial capital than with the PoW brute-force attack. The attacker won't be able to get any witnesses voted in with only 0.5% approval. Currently approximately 13.5% of stake is necessary to get the majority of BitShares 0.x delegates voted in; let's assume similar voting patterns carried over to DPoS 2.0 witnesses. Ignoring the fact that purchasing 13.5% of stake would drastically raise the price (and thus market cap), this means that BitShares would have higher initial capital requirements for this attack than Bitcoin if it had a market cap of at least $963 million. With its current market cap, the initial capital requirements are only approximately $2.2 million (again not considering how the market cap would dramatically increase if someone actually attempted to buy 13.5% of all BTS).
It is important to note that these were only two classes of attacks. This rough analysis (I appreciate any corrections or improvements) hopefully shows that for the same amount of security against these attacks, a DPoS network costs less to operate than a PoW network. It does not say anything about the relative security of two networks for different attacks. As I mentioned in the beginning, there is a trade-off. We give up objectivity by going from PoW to DPoS. This makes DPoS less secure than PoW (almost regardless of operating cost) for certain attacks.
For example, if the majority of witnesses are colluding to attack a victim and they also control that victim's internet connection and can maintain control of that internet connection for over 2 weeks, then there is a some chance the victim can be kept in the dark about the double spend for long enough that it will be too late to punish the witnesses with a double sign proof that burns their deposits. Essentially the probability p gets close to 0 in this case which means the C
w/C
d ratio also falls down to a value close to 0 (and importantly less than 1 which means PoW is more secure against this case for the same cost). It is very questionable how realistic this attack scenario is. If the probability of the victim discovering the attack and providing the double sign proof to the blockchain in time can be kept above 2*f/r = 2*0.05/29 = 0.00345, then the DPoS system still has better security for same cost. In fact, given the numbers above, DPoS can have the same security as PoW against this attack with an order of magnitude lower operating cost as long as the probability of the attacker getting away with this particular attack without losing the security deposit is less than 96.5%. Increasing the 2 week delay to withdraw the deposit is an easy way to sufficiently decrease this probability of attack success (if even necessary) at the inconvenience of delaying how long it takes for a retired witness to get back their deposit.
Another case in which PoW's objectivity shines is when synchronizing the blockchain after a long time of being offline. Even if the user has no estimate for what the accumulated work done should be, assuming their internet isn't compromised they will likely be able to find the blockchain with the larger accumulate work done (the correct blockchain) without any trust. But with DPoS, a very large majority of old witnesses that were simultaneously active at some point in the past (but have long since stopped being witnesses and have withdrawn their deposit and so they have no stake to lose) could collude together to continue a fake blockchain from the fork point. If they also compromise the victim's internet connection, they can trick the user to sync to a fake blockchain and thus double-spend attack the victim. What is worse is that even after getting access to an uncompromised network some time after syncing, the victim's client may refuse to switch to the real chain because the fork point would be past the chain reorganization limit. Furthermore, if nearly all of the old witnesses colluded (so 99+% of the witnesses at a single point in time in the blockchain history colluded to make the fake blockchain history, and therefore could likely have a longer fake blockchain than the real blockchain which will naturally have some witnesses occasionally missing blocks), then the victim wouldn't figure out which chain was the real one even if their internet connection wasn't compromised at any time. In this case I believe the client should do the right thing and get stuck rather than picking one chain or the other (is that correct?), so the victim is not in any actual risk of a double-spend attack, but it is annoying because it then requires the victim to rely on his social network of trust to determine the correct chain (he needs to acquire a trusted recent checkpoint and add it to the client). Thankfully, with a 2 week withdrawal delay on the security deposit, witnesses who retired or were voted out less than 2 weeks ago will be highly unlikely to dare carry out this attack. This means that someone syncing the blockchain every week is in no real danger of this attack. Furthermore, if we assume witness turnover is slow, it is unlikely that there will be enough old witnesses with nothing at stake that are willing to collude to attack users who haven't synced for a couple months (not to mention that it is difficult to know who specifically to target). However, it is probably prudent to assume that if someone hasn't synced the blockchain for several months, they should first acquire a recent trusted checkpoint and add it to their client (assuming it isn't already done automatically in their most recently downloaded version of the client). Finally, most people would be using a lightweight client setup anyway, so all of this responsibility is placed on the host and the users are simply trusting that the host will not double-spend attack them because it would destroy their reputation and future business.