Understanding strengths and vulnerabilities of Delegate Proof of Stake (DPOS)

[Helikopterben]

btc38-public-for-bts-cold has 278M BTS, and 21/27 top witnesses have less than that amount voting them in.

This is the most relevant argument against decentralization.  The most serious threat is btc38 being hacked and 278m bts winding up in the hands of an unstable hacker, especially if the hacker has little cost pulling off the attack.  There is precedent for this.  Mintpal was once hacked and 30% of all Vericoin were stolen.    The Vericoin chain was subsequently rolled back by the developers to reverse the transaction, which was percieved as centralization (I.e. the developers had arbitrary control over the chain).  Whether this was a function of consensus or a function of arbitrary control is a matter of personal perception, but its best to avoid this situation entirely if possible.  This even led to a question of whether the nxt chain should be rolled back after the bter hack.  It wasn't. 

Centralized exchanges are notorious for being hacked and this could lead to either a need to roll back the chain (centralization) and/or serious damage to the sytem.  Until the dex becomes popular and users moves funds off of centralized exchanges, this remains a threat.  Other attacks are mostly just straw-man.

[btstip]

Hey ebit, here are the results of your tips...

• monsterer: has been credited 9 ROSE

Curious about BtsTip? Visit us at http://sharebits.io and start tipping BTS on https://bitsharestalk.org/ today!

Source: https://bitsharestalk.org/index.php/topic,20210.msg261223/topicseen.html#msg261223

Created by hybridd

[ebit]

I suspect that with a little economic incentive we could dramatically increase the voter turnout and render worries about this attack vector moot.

For example, charging a 0.1% tax per month on all accounts with more than 1M BTS that are not voting for at least 11 witnesses would really jack up the voter turnout.

I wouldn't use the stick personally - I prefer the carrot: active voter participation lowers your fees.

There will be a new account sign.Such as account+v  Annual+v Lifetime+v,it will get lower fee.
#sharebits monsterer 9 rose

[Thom]

Thank you monsterer for injecting a strong dose of reality to challenge BM. In my view his claims of being more decentralized than Bitcoin when btc38 has a single account with such a large stake blow his argument away. Saying that voting power couldn't be exercised on the grounds it isn't "practical" sounds extremely weak to me.

I have previously expressed my doubts about DPoS on the basis of voter apathy alone. The OP draws a comparison between DPoS and the governance commonly used in the world today, saying that should be a strong argument for its robustness and should instill confidence. I disagree. I see just the opposite, it is a weakness, one which demonstrates the intrinsic flaws of people playing a major role in the governance model.  Just look around and see for yourself how this governance model has become corrupted or co-opted throughout society. However, I see no way around it which doesn't have worse consequences.

Although Bitcoin's PoW algorithm was an ingenious attempt to reduce this human corruptibility it just shifted it to some other place in the overall governance model, in addition to the flaw of huge wastefulness inherent in PoW. BM's observation of Bitcoin's lack of sustainability due to a lack of profit when viewed as a DAC was equally ingenious as well as accurate.

However, it's sad that BM didn't learn the lesson from BitShares 0.X of how important it is to incentivize voting in the DPoS model. Voting was clearly not considered a high priority in 2.0 either, as it was further weakened from an instantaneous causal effect to one which takes place only as fast as the maintenance interval. And just what is the minimum practical length of the maintenance interval? That depends on several factors, but I'd suspect it was never modeled or evaluated against factors such as the number of total shareholder votes, how many proxies, proposals, witness / committee slots are open for voting, or how many active accounts exist that participate in the voting. It doesn't matter all that much if apathy is prevalent.

I hope BM and this community will learn, grow and triumph over these challenges before some other party can. There is such great potential here. If we are to be successful we must learn from our mistakes and adapt quickly. I just hope we can do that fast enough.

We need strong voices such as monsterer's to challenge our most basic of assumptions and be willing to help come up with solutions. We also need BM / CNX to be open minded and willing to truly consider the merits of arguments when challenged. I am glad to see this happen, such as the incorporation of wmbutler's project management role into the GUI coding effort, as well as BM's responsiveness to community feedback concerning the direction of wallet development. So my hope is not extinguished by a long shot.

[TravelsAsia]

I suspect that with a little economic incentive we could dramatically increase the voter turnout and render worries about this attack vector moot.

For example, charging a 0.1% tax per month on all accounts with more than 1M BTS that are not voting for at least 11 witnesses would really jack up the voter turnout.

I wouldn't use the stick personally - I prefer the carrot: active voter participation lowers your fees.

I like the carrot along with a campaign for proxy voting. Even a small video integrated into the wallet on how/why it should be done would be beneficial.

[monsterer]

I suspect that with a little economic incentive we could dramatically increase the voter turnout and render worries about this attack vector moot.

For example, charging a 0.1% tax per month on all accounts with more than 1M BTS that are not voting for at least 11 witnesses would really jack up the voter turnout.

I wouldn't use the stick personally - I prefer the carrot: active voter participation lowers your fees.

[bytemaster]

With respect to recovering a proof-of-work chain, lets talk about it in terms of "recovering within a week".   If all mining hardware was turned into a unicorn people could still mine with their CPU/GPU, but it wouldn't be profitable and it would take days between blocks.

That's irrelevant. If you turned all DPOS delegates into unicorns the chain would be unrecoverable excepting for a hard fork.

I think you will need to be careful when describing DPOS as more decentralised than bitcoin when just one account controls the entire network - which is less decentralisation by a long way.

There is theoretical decentralization and then there is practical realities.  In theory DPOS could be more secure (more distributed influence).  In practice there exists a combination of voter apathy/laziness.   This voter apathy isn't a structural one, it is an incentive one.

I suspect that with a little economic incentive we could dramatically increase the voter turnout and render worries about this attack vector moot.

For example, charging a 0.1% tax per month on all accounts with more than 1M BTS that are not voting for at least 11 witnesses would really jack up the voter turnout. 

[monsterer]

With respect to recovering a proof-of-work chain, lets talk about it in terms of "recovering within a week".   If all mining hardware was turned into a unicorn people could still mine with their CPU/GPU, but it wouldn't be profitable and it would take days between blocks.

That's irrelevant. If you turned all DPOS delegates into unicorns the chain would be unrecoverable excepting for a hard fork.

I think you will need to be careful when describing DPOS as more decentralised than bitcoin when just one account controls the entire network - which is less decentralisation by a long way.

[bytemaster]

TAPOS is implemented (as in all the data is there in the chain and transactions refer to prior blocks).   TAPOS is not implemented in the sense that we do not calculate the TAPOS confirmation percentage to display to the user. In other words, it could be added without a hardfork.

We decided to require 2/3 to lock something in as irreversible even though technically 51% could be enough. We effectively decided that to have less than 2/3 confirmation means there are network issues and everyone should be cautious. 

With respect to recovering a proof-of-work chain, lets talk about it in terms of "recovering within a week".   If all mining hardware was turned into a unicorn people could still mine with their CPU/GPU, but it wouldn't be profitable and it would take days between blocks.  The difficulty wouldn't be able to adjust fast enough and new mining equipment wouldn't be able to be produced fast enough (especially if the factories were taken offline).   In simple economic terms, the special purpose hardware creates a barrier to entry that slows down recovery from attacks.

DPOS is only as secure as voter participation.  The primary reason for concentrations of stake in a single account is exchanges.  BTS aims to be its own best exchange which should gradually reduce the amounts kept on deposit.

It would be better if we could convince exchanges to vote for a proxy with their cold storage account.  This way any one exchange would be unable to gain control.

[monsterer]

1. Long range attack is only viable against New Nodes on an ISOLATED network and can be completely eliminated with proper TAPOS accounting.  Under TAPOS it is possible to know what percent of the stake has directly confirmed the chain without going through intermediate witnesses.  A long-range attack would have to gather keys of individual accounts, not just keys of witnesses.   

And is TAPOS implemented?

What about keys to the past attack?

2. Potentially reversible simply means that they are subject to the longest-chain rule.  If a longer chain were to be produced that built off the last irreversible block then the node would automatically switch over to it.

Why is the 33% important here, not 50%?

3. The blockchain would not be recoverable if the reason the hash power was taken off line was due confiscation of mining hardware at large centralized farms (bomb, fire, law) and the chip manufacturers were shut down. 

Of course it would! You could turn every single piece of mining equipment into a unicorn and the chain would still be recoverable! Since bitcoin is permissionless, anyone can mine.

4. I was not referring to negative mining attack, I was referring to buying loyalty by guaranteeing an 2x increase in profits to existing miners which.  Profits are different from Revenue. 

Lets stick with plain facts here, though. Speculation doesn't win arguments about security.

5. Assuming a connected network, no node will automatically switch to any fork that branches prior to the last irreversible block. To reverse that block would require all of the passive observers to manually intervene. If the witnesses are compromised they could attempt to produce an alternative chain, but it would not be recognized as legitimate to active full nodes no matter how long it got.  All users of the blockchain would know the proper chain.  Compromise of 99% of the witnesses is like the 51% attack on Bitcoin so such an extreme case isn't generally considered possible.

What passive observers are you referring to here?

How would all users of the blockchain 'know' the proper chain without an objective measure of what it is?

Another point: how do you answer the accusation that DPOS is currently in danger of an 85% attack: right now 1 account could vote out the majority of witnesses and vote in his own colluding witnesses and bring the chain to a complete stop?

btc38-public-for-bts-cold has 278M BTS, and 21/27 top witnesses have less than that amount voting them in.

ref:

http://richlist.btsgame.org/
http://cryptofresh.com/witnesses

What measures are in place to prevent this? At least in bitcoin,  people switch pools when one has dominant power.

[bytemaster]

1. Long range attack is only viable against New Nodes on an ISOLATED network and can be completely eliminated with proper TAPOS accounting.  Under TAPOS it is possible to know what percent of the stake has directly confirmed the chain without going through intermediate witnesses.  A long-range attack would have to gather keys of individual accounts, not just keys of witnesses.   

2. Potentially reversible simply means that they are subject to the longest-chain rule.  If a longer chain were to be produced that built off the last irreversible block then the node would automatically switch over to it.

3. The blockchain would not be recoverable if the reason the hash power was taken off line was due confiscation of mining hardware at large centralized farms (bomb, fire, law) and the chip manufacturers were shut down. 

4. I was not referring to negative mining attack, I was referring to buying loyalty by guaranteeing an 2x increase in profits to existing miners which.  Profits are different from Revenue. 

5. Assuming a connected network, no node will automatically switch to any fork that branches prior to the last irreversible block. To reverse that block would require all of the passive observers to manually intervene. If the witnesses are compromised they could attempt to produce an alternative chain, but it would not be recognized as legitimate to active full nodes no matter how long it got.  All users of the blockchain would know the proper chain.  Compromise of 99% of the witnesses is like the 51% attack on Bitcoin so such an extreme case isn't generally considered possible.   

[monsterer]

1. All full nodes are observers, this means that they serve the purpose of redundancy and irreversibility to a high degree (unlimited).  This protects the network against corruption of past progress in a manner that Bitcoin can never guarantee due to the concept of the Last Irreversible Block.

What about long range attack, or keys to the past?

2. All witness nodes are observes that are actively involved in the consensus process, in other words they are required to allow consensus to advance. If 33% of these nodes "fail" then all forward progress is contingent (potentially reversible)

Define 'potentially reversible'?

So lets compare this to Bitcoin:
1. If 99% of miners fail and stop producing blocks, consensus will "stop" (fall to 2 blocks per day)

...But the chain is recoverable without intervention.

2. Control can be purchased for a marginal increase on the profit associated with mining (not the revenue) and profit margins are constantly shrinking.

Not sure if you're referring to your theoretical negative mining attack here - if so this has been proven to be a straw man.

3. There are only 3 "generals" that matter in Bitcoin (the large pools) compared to 27 on BitShares

This is the wrong comparison to make. Really you should be comparing the percentage of hashing power in any one pool to the common stake which voted in the witnesses.

4. In any given set of 6 blocks there will be an average of less than 4 mining pools that confirmed it.
5. Transactions are never irreversible by-protocol, they can always be reversed with enough money.

I challenge you to prove that transactions are irreversible after the last 'irreversible' block.

[bytemaster]

The following practical, concise definitions are helpful in understanding Byzantine fault tolerance:[3][4]

Byzantine fault
Any fault presenting different symptoms to different observers
Byzantine failure
The loss of a system service due to a Byzantine fault in systems that require consensus

There are several different kinds of *faults* and degrees of damage that could occur.  Lets divide faults up into 3 categories:

1. Temporarily Halting Forward Progress
2. Permanently Halting Forward Progress
3. Corrupting Past Progress

Lets define the set of observers:

1. All full nodes are observers, this means that they serve the purpose of redundancy and irreversibility to a high degree (unlimited).  This protects the network against corruption of past progress in a manner that Bitcoin can never guarantee due to the concept of the Last Irreversible Block.
2. All witness nodes are observes that are actively involved in the consensus process, in other words they are required to allow consensus to advance. If 33% of these nodes "fail" then all forward progress is contingent (potentially reversible) but generally speaking consensus is still reached so long as there is a 51% majority.   Worst case, 49% of witnesses are corrupted (not just failed).  This will simply keep consensus in a "contingent" state until stakeholders can vote in 67% of cooperating witnesses.  Forward progress can be made at all times even if it is technically contingent.

If 67% of elected witnesses are corrupted then there are two options:

1. Consensus continues to advance and the elected witnesses censor transactions (or halt them all together) in which case forward progress is permanently halted.
2. If 99% of elected witnesses "fail" and stop producing blocks, consensus can still advance in a contingent state until stakeholders can elect new witnesses.

So lets compare this to Bitcoin:
1. If 99% of miners fail and stop producing blocks, consensus will "stop" (fall to 2 blocks per day)
2. Control can be purchased for a marginal increase on the profit associated with mining (not the revenue) and profit margins are constantly shrinking.
3. There are only 3 "generals" that matter in Bitcoin (the large pools) compared to 27 on BitShares
4. In any given set of 6 blocks there will be an average of less than 4 mining pools that confirmed it.
5. Transactions are never irreversible by-protocol, they can always be reversed with enough money.

So if you want to measure "fault tolerance" nothing compares to BitShares.

[monsterer]

I'm playing devils advocate here because that's what you'll get on the bitcoin forums.

1. A 51% attack only applies to future changes, cannot impact past transactions.

Isn't this reduced to 33% in DPOS? When does the last 'irreversible' block occur?

We know DPOS is vulnerable to the very short range finney attack, as I've proved before, but what does it do to protect against long range attacks, or keys from the past attacks?

If a government or agency targets and takes down all delegates, how can the chain recover? (note that in POW this recovery is automatic)

What proof is there that DPOS solves the byzantine generals problem and to what tolerance?

[merivercap]

Minority stakeholders are protected by keeping all changes slow enough for them to sell prior to the change. If the 51% want to steal the funds of the 1% by dilution the 1% can sell prior to the dilution. This the smaller investor is more liquid than the larger investor.

That's another good control.