Pillow's Peercoin Myths

#Pillow’s Peercoin Myths

There are some myths about Peercoin. These myths are often based on misconceptions about Peercoin and born out of ignorance. This thread lists the most common ones, along with additional information so that the reader can put the myth into context. The idea is to provide the reader with accurate information, so that the reader may form his or her own opinion based on facts.

Please share this thread with all people who have misconceptions about Peercoin. If you know about a myth that has not already been listed below, please reply to this thread. Also, please let us know if you find any errors by posting in this thread.

List of common myths. Follow the links to learn more:

Peercoin is Highly Vulnerable to 51% Attack
Myth: Given enough coins, it’s very easy to control the blockchain.

Nothing-at-Stake
Myth: There is nothing that prevents minters from minting on several chains at once, and since doing so doesn’t cost anything, there is an incentive to do so. Therefore, the network will never reach consensus and there will be a multitude of competing chain forks.

Stake Grinding
Myth: Using only a limited amount of coin age, the blockchain history can be re-written by grinding through the probabilities involved in creating the longest blockchain. As long as there is only a little coin age left, it is possible to create one more block. This makes Proof-of-Work arbitrator in Peercoin.

Synchronized Checkpointing
Myth: The network is centralized because the synchronized checkpointing mechanism allows Sunny King to control the blockchain history.

History Revision Attack
Myth: An attacker can rewrite the blockchain history using old private keys.

Time-Drift Attack
Myth: An attacker can manipulate the clock time and generate blocks ahead of time.

Only One Developer
Myth: There is only one developer, Sunny King. He is anonymous and if something happens to him, that’s the end of it.

Peercoin was Pre-Mined
Myth: Peercoin was pre-mined/insta-mined.

Peercoin is Extremely Inflationary
Myth: New coins are created all the time, it will be incredibly inflationary.

Peercoin is Unfair
Myth: The coin is designed to make the rich richer and enrich early adopters.

Peercoin is a Scam
Myth: Its just a scam coin with no long-term plan.

This post is subject to change.

I think you should change the title of this thread to something a little more obvious like “Counter-Arguments for Common Peercoin Myths & Criticisms.”

1 Like

Thanks. Done.

How do you respond to the history attack ? Critics claim by using checkpoint, therefore peercoin is centralized by dev. For example:

https://bitcointalk.org/index.php?topic=615843.msg6753563#msg6753563

I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

  1. Alter the client source code to not include any transactions in a block except your own.

  2. Write a utility that can sign and automatically issue a transaction to transfer coins from and to addresses of your choosing.

  3. Build and deploy your altered Peercoin client to 10 different virtual machines.

  4. Open exchange accounts with 10 different exchanges. In each virtual machine, configure the utility you wrote to transfer the same coins to a unique exchange address. You are attempting a double spend, or in this case, you try to spend the same coins 10 times.

  5. Mint on all 10 virtual machines using the same wallet on each while sending out transactions spending your coins to ten different exchange deposit addresses. Other nodes will only accept a single transaction: the one they received first. You only have about a 10% chance of the exchange nodes receiving the spend you wanted it to (this works the same in a proof of work system like Bitcoin). If any other client besides the attackers’ finds the next block, the multiple spend is resolved and the coins cannot be used again to attempt a multiple spend in the next block. The attempt to get the double or multi spend confirmed failed. If the attacker is very lucky and finds the very next block after sending out multi spends (using 10 machines does not increase the attacker’s likelihood of finding the next block), there will be 10 forks with 10 different spends of the same coins with one confirmation. No other transactions will be included in these 10 competing blocks.

  6. We now have 10 Peercoin forks, all of which are being minted on. Clients run by others will decide which fork to mint on based on which of the 10 competing blocks they received first.

  7. The next block will be minted. If it is minted by someone else other than the attacker, which is the overwhelming likelihood, this new block defines the best chain and consensus is restored across the entire network. All legitimate transactions excluded from the previous block are included in this block. In the unlikely event that the next block is minted by the attacker, all 10 forks will continue.

  8. As soon as anyone else on the network besides the attacker finds a single block, the attack is defeated. Double spends (or 10 spends in our case) disappear and all other transactions are confirmed normally.

Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block. If they succeed at getting one and only one confirmation on their multiple spends they cannot defraud an exchange (because they typically require 6 confirmations). They have less than a 0.1% chance of getting two blocks in a row and around 0.003% of find three in a row. The chance they will find six blocks in a row is 0.00000000729%. They must wait 90 days to get another optimal chance to attack after a failed attempt.

If they fork the network for one or two blocks and their double spend is successful for only one or two blocks, they can’t defraud an exchange but they might harm the value of their own investment if the market is not impressed by these one or two block forks. Because 6 consecutive blocks are needed to defraud an exchange from double spending, even a very large stakeholder would have a negligible chance of success. If they got somewhat close to success but failed (the overwhelming likelihood) it would lower the value of their Peercoins as the market priced in worries of a possible future success. The odds of gain are strongly against you because any near success that ultimately fails can hurt the value of your Peercoins.

The endeavor cannot be embarked upon with an expectation of financial gain. Financial loss is far, far more likely. The loss of large amounts of time is certain. Additionally, few people have the skills to mount such a complicated attack. The fact that such forks have not been known to occur suggests no one has attempted it, precisely because it is extremely unlikely to result in financial gain while much more likely to result in loss.

There are many more important threats to PoS networks than the risk of a successful exploit of the “nothing at stake” phenomena. For instance, the possibility that the Peercoin network will experience low levels of adoption is far, far greater than the possibility of a successful attack of the kind described above. We should focus our attention accordingly.

Update: I realized I had over estimated the probability of a successful attack. If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block. However, you would have nothing left to try to find your 2nd, 3rd, 4th, 5th and 6th consecutive blocks. To do that with the probabilities mentioned above you would need to purchase 6% of all Peercoins at a current cost of more than 2.4 million USD. Doing so would raise the price of Peercoin, meaning you would have to pay more than market price on average. Similarly, such a large amount of Peercoins would have to sold later below market price on average, exposing the attacker to certain financial loss.

Does anyone have information on stake-grinding? I’ve had multiple people on Reddit inform me that “you can like, totally attack Peercoin with that stake-grinding thing” but I can’t find any information on the attack itself (how it is performed, vectors, etc.).

Edit: Stake-grinding information was added to the OP. Thanks.

Jordan, after reading this, the chances of a successful attack using this method seem so extremely low that it’s laughable, especially when they’d have to wait another 90 days just to try the attack over again. If this is really the way it is, this whole argument Bitcoiners have been using against us is silly.

[quote=“Jordan Lee, post:5, topic:2518”]I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

…[/quote]

Wow, this response was much more then I was hoping for. Thank you very much Jordan. I’ve replaced my own version with what I hope is a properly condensed version of your rundown (please correct me if I made any errors) and linked to your post. Technical garble-jabble-talk is very good for technically oriented people, but for the layman, your explanation is probably much easier to follow. Thank you for this.

I’m not a technical person when it comes to understanding the mechanisms behind these coins. While I don’t understand everything in Jordan’s post, I get the general meaning. The percentages of success are what really made me realize this argument was garbage, especially when the percentages drastically drop like that after each block and the fact that you’d have to wait 90 days to even attempt it again. It just seems so stupid that this is what we’ve all been worried about. :))

By the way Pillow, there are a bunch of grammatical errors in your original post. You might want to give it a second read through.

Yes thanks for pointing that out. I’m re-writing the post all the time to I’ve not bothered with the English, but I’ll have to do that once its complete.

This is the latest version:

[b]Nothing-at-Stake (NOT VERIFIED YET)[/b]: There is nothing that prevents minters to mint on several chains and since doing so doesn't cost anything, there is an incentive to do so. Therefor the network will never reach consensus. There will be a multitude of competing chain forks.

Condensed response
When people bring up this myth, they often cite Greg Maxwell but I’m not sure that he has actually commented on the Peercoin implementation. Has he?

It is extremely unlikely that someone could successfully carry out this attack mainly because of two reasons. The first reason is that there are mechanisms in place to limit the effectiveness of this kind of attack one of the more important once being that a duplicate blocks is not propagated by the network and that coin age is consumed, imposing a limit to how often the attack can be attempted. The second reason is that the protective mechanisms requires the attacker owns a considerable amount of coins, which exposes the attacker to exchange rate risk; a risk that is increased by the attackers own attempt to attack the network. The “Nothing at stake” argument is flawed because is argues that the attacker has nothing at stake, whereas in reality the attacker has to spend resources to acquire the coins used in the attack and thereby is exposed to the exchange risk. It is also false because the probability of succeeding with an attack, greatly diminishes for each new block confirmation while the attackers coin age is consumed and thus prevents an extended attack from taking place.

For a more detailed rundown of the costs and probabilities associated with an attack read this post Cryptoblog - notícias sobre bitcoin e criptomoedas! The block duplicate protection mechanism can be studied here https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp#L1985

Further study
For a more in-depth study of the concerns surrounding this type of attack, the following links could serve as entry points: Reddit - Dive into anything Cryptoblog - notícias sobre bitcoin e criptomoedas!

Counter-argument
In Peercoin the attacker will be fully invested in peercoins. In Bitcoin a malicious miner has resources invested in an infrastructure that could be pointed in the blink of an eye to perform mining on alternative coins. Hence, the attacker doesn’t have to own bitcoins and therefor it could be argued that the malicious Bitcoin miner has nothing at stake in Bitcoin.

I have been working hard trying to figure out why this attack isn’t valid for someone willing to spend the money.

https://bitcointalk.org/index.php?topic=604716.20

By splitting up your stake into small chucks you can attempt to mint with the almost the same rate on successive blocks without losing coin age. Someone please tell me I am wrong. And then if you skew your block’s time but stay within the clock-drift you get an even better chance of success (as hinted at in the post by cinnamon_carter, page 2, 6/5/2014).

[quote=“onthefrynge, post:11, topic:2518”]I have been working hard trying to figure out why this attack isn’t valid for someone willing to spend the money.

https://bitcointalk.org/index.php?topic=604716.20

By splitting up your stake into small chucks you can attempt to mint with the almost the same rate on successive blocks without losing coin age. Someone please tell me I am wrong. And then if you skew your block’s time but stay within the clock-drift you get an even better chance of success (as hinted at in the post by cinnamon_carter, page 2, 6/5/2014).[/quote]

Great - I’ve added it to the list! I’ve not looked at this one before. If someone knows the answer to this one, please post here or PM me so I can update the first post.

[quote=“Jordan Lee, post:5, topic:2518”][…]
Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block.
[…][/quote]
Hi Jordan!
I appreciate your input to this discussion as you are for sure one who understands the source code and the mechanics of Peercoin. I only have my apprehension to try to follow…
One question that crossed my mind:
does the attacker need 6% of all Peercoins or 6% of all actively minting Peercoins?
If the attacker only needs 6% of the minting Peercoins to have the attack probabilty you calculated it would be significantly “cheaper” to get the needed Peercoins.
Based on the assumption that only < 5 million Peercoins are minting (http://www.peercointalk.org/index.php?topic=2515.msg27233#msg27233), only < 300,000 Peercoins are needed to achieve the probability you calculated.

I agree that it will be hard to get a direct financial gain by executing a successful or almost successful double spend (although it is easier the less Peercoins you need for that because it is easier to buy/sell them in a short period of time without suffering from a huge spread between buy/sell price)

But what about other reasons to attack Peercoin? Reasons that are not incentivized by a direct financial gain?
What about governments?
What about people being heavily invested in Bitcoin who might feel threatened by a possible success of Peercoin but are not willing to invest in Peercoin and rather try to bring it down (hoping that the fall of the “first PoS coin” pushes the Bitcoin price higher)?

I want Peercoin to succeed as I believe in the need for crypto currencies and I understand that PoW has flaws that are (at least partly) addressed by PoS, especially by the way Peercoin is implemented. But I still don’t understand why PoW is not used as additional security layer while it is in place for mining.

I made a kind of proposal how to include PoW in the security model of Peercoin (http://www.peercointalk.org/index.php?topic=2606.msg22403#msg22403). I understand that the idea of including PoW in the security model is not welcome. I understand that this would need a hard fork because the protocol needs to be adjusted. But I still claim that wisely including PoW in the security model would raise the security level if you’d need a certain amount of control over both of the PoS and PoW process to successfully attack the block chain.
If PoW is the weaker part of the security model (weaker than PoS) but not as negligible as it is currently, there would be even more at stake.
Economically speaking it would be more secure that way!

[quote=“romerun, post:4, topic:2518”]How do you respond to the history attack ? Critics claim by using checkpoint, therefore peercoin is centralized by dev. For example:

https://bitcointalk.org/index.php?topic=615843.msg6753563#msg6753563[/quote]

Here is something else about this…

http://www.reddit.com/r/Bitcoin/comments/281kqz/51_has_been_reached/ci773o2

[quote=“Sentinelrv, post:14, topic:2518”][quote=“romerun, post:4, topic:2518”]How do you respond to the history attack ? Critics claim by using checkpoint, therefore peercoin is centralized by dev. For example:

https://bitcointalk.org/index.php?topic=615843.msg6753563#msg6753563[/quote]

Here is something else about this…

http://www.reddit.com/r/Bitcoin/comments/281kqz/51_has_been_reached/ci773o2[/quote]

Great, I added it to the index in the top post.

Oh-my, AlphaBar woke up on the aggressive side that day :)) I’ve not thought of this kind of attack earlier, so I’ll need help addressing this one as well.

Those myths that we’re not able to actually debunk ourselves, we could perhaps ask Sunny about. If peercoin main site is also going to have a myth section, I believe it could be worth while for him to do it.

EDIT: ok read it now. will attempt a brief summary here:

[ol][li]Attacker has more then 50% of the total coin supply in block 9[/li]
[li]Attacker sell all of the coins on an exchange in block 11[/li]
[li]Attacker change his Peercoin clients source code and starts to mint his own chain from block 10, in this chain the coins were never sent to the exchange.[/li]
[li]When the attack chain is longer then the main chain on the network attacker broadcast the attack chain[/li]
[li]The main chain is substituted by the attack chain[/li]
[li]Attacker now has USD on the exchange and all the peercoins in the wallet[/li][/ol]

Another version of basically the same thing is:

[ol][li]Attacker buys private keys that are “not longer used” from early adopter who sold old his coins in block 10, for 1 USD.[/li]
[li]Attacker use these private keys that happened to have held 50% of the coin supply in block 9[/li]
[li]Attacker change is Peercoin client source code and start minting on block 9, building his own chain in which the coins were never spent in block 10.[/li]
[li]When attack chain is longer then the main chain on the network attacker broadcast the attack chain.[/li]
[li]Attacker now has coins which can be sold on an exchange.[/li][/ol]

Did I understand this correctly? How is this attack vector addressed in Peercoin?

EDIT 2: Maybe “chaintrust” (http://www.peercointalk.org/index.php?topic=2606.30) or “duplicate block” have something to do with it? I’m thinking chaintrust because the coin age is consumed when minting (50% of the coins is a lot though and theoretically more could be bought cheaply) so “duplicate block protection” looks interesting in this context. But I’ve got to study these kernel things and so forth and so on. Would be easier if someone who already knew gave us some hints.

[quote=“onthefrynge, post:11, topic:2518”]I have been working hard trying to figure out why this attack isn’t valid for someone willing to spend the money.

https://bitcointalk.org/index.php?topic=604716.20

By splitting up your stake into small chucks you can attempt to mint with the almost the same rate on successive blocks without losing coin age. [/quote]
That is right! You can do this. But we think that even if your spilt your coins, you have to do an immense investment to attack Peercoin.

Clock drift problem:

Smike elaborated how this works in http://www.peercointalk.org/index.php?topic=2634.0.
He states:

Since the network has a tolerance of two hours of time stamp error, does it mean one can try 14400 different time stamps per second?[/quote]

Yes. There are other limits involved but you can try more timestamps per second. The client already tries some previous timestamps if you missed them.

But if you try the next 14400 timestamps at time t, then at time t+1 you’ll try 14399 timestamps you’ve already tried, and only try 1 new. So you still try only 1 new timestamp per second.

If you do that it may still be a little easier to find a block if the difficulty changes a lot (because you’ll try more timestamps when the difficulty is low). But it’s probably not significant. And you wouldn’t get more reward, you’d only a part of it earlier.[/quote]
I am not sure, but I think that if an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 14400+7200 timestamps instead of just 7200 timestamps. For sure this would be an advantage for the attacker, but still he has to have many many coins…

[quote=“Jordan Lee, post:5, topic:2518”]I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

  1. Alter the client source code to not include any transactions in a block except your own.

  2. Write a utility that can sign and automatically issue a transaction to transfer coins from and to addresses of your choosing.

  3. Build and deploy your altered Peercoin client to 10 different virtual machines.

  4. Open exchange accounts with 10 different exchanges. In each virtual machine, configure the utility you wrote to transfer the same coins to a unique exchange address. You are attempting a double spend, or in this case, you try to spend the same coins 10 times.

  5. Mint on all 10 virtual machines using the same wallet on each while sending out transactions spending your coins to ten different exchange deposit addresses. Other nodes will only accept a single transaction: the one they received first. You only have about a 10% chance of the exchange nodes receiving the spend you wanted it to (this works the same in a proof of work system like Bitcoin). If any other client besides the attackers’ finds the next block, the multiple spend is resolved and the coins cannot be used again to attempt a multiple spend in the next block. The attempt to get the double or multi spend confirmed failed. If the attacker is very lucky and finds the very next block after sending out multi spends (using 10 machines does not increase the attacker’s likelihood of finding the next block), there will be 10 forks with 10 different spends of the same coins with one confirmation. No other transactions will be included in these 10 competing blocks.

  6. We now have 10 Peercoin forks, all of which are being minted on. Clients run by others will decide which fork to mint on based on which of the 10 competing blocks they received first.

  7. The next block will be minted. If it is minted by someone else other than the attacker, which is the overwhelming likelihood, this new block defines the best chain and consensus is restored across the entire network. All legitimate transactions excluded from the previous block are included in this block. In the unlikely event that the next block is minted by the attacker, all 10 forks will continue.

  8. As soon as anyone else on the network besides the attacker finds a single block, the attack is defeated. Double spends (or 10 spends in our case) disappear and all other transactions are confirmed normally.

Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block. If they succeed at getting one and only one confirmation on their multiple spends they cannot defraud an exchange (because they typically require 6 confirmations). They have less than a 0.1% chance of getting two blocks in a row and around 0.003% of find three in a row. The chance they will find six blocks in a row is 0.00000000729%. They must wait 90 days to get another optimal chance to attack after a failed attempt.

If they fork the network for one or two blocks and their double spend is successful for only one or two blocks, they can’t defraud an exchange but they might harm the value of their own investment if the market is not impressed by these one or two block forks. Because 6 consecutive blocks are needed to defraud an exchange from double spending, even a very large stakeholder would have a negligible chance of success. If they got somewhat close to success but failed (the overwhelming likelihood) it would lower the value of their Peercoins as the market priced in worries of a possible future success. The odds of gain are strongly against you because any near success that ultimately fails can hurt the value of your Peercoins.

The endeavor cannot be embarked upon with an expectation of financial gain. Financial loss is far, far more likely. The loss of large amounts of time is certain. Additionally, few people have the skills to mount such a complicated attack. The fact that such forks have not been known to occur suggests no one has attempted it, precisely because it is extremely unlikely to result in financial gain while much more likely to result in loss.

There are many more important threats to PoS networks than the risk of a successful exploit of the “nothing at stake” phenomena. For instance, the possibility that the Peercoin network will experience low levels of adoption is far, far greater than the possibility of a successful attack of the kind described above. We should focus our attention accordingly.

Update: I realized I had over estimated the probability of a successful attack. If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block. However, you would have nothing left to try to find your 2nd, 3rd, 4th, 5th and 6th consecutive blocks. To do that with the probabilities mentioned above you would need to purchase 6% of all Peercoins at a current cost of more than 2.4 million USD. Doing so would raise the price of Peercoin, meaning you would have to pay more than market price on average. Similarly, such a large amount of Peercoins would have to sold later below market price on average, exposing the attacker to certain financial loss.[/quote]

Let’s say I’m buying a whole lot of old private keys that once upon a time could be used to spend an enormous amount of coins. Then I select a block a long way back in time, when those coins were still there and build a chain that is super long. Would I then be able to broadcast this chain and replace the main chain on the network (and if check-pointing is disabled of course)?

Will the duplicate block protection invalidate the attack chain? I looked at the code, but I’m very reluctant to even speculate on these things, since I’m writing educational material.

Solution given by Ethereum:
Slasher: A Punitive Proof-of-Stake Algorithm

[quote=“crypto_coiner, post:19, topic:2518”]Solution given by Ethereum:
Slasher: A Punitive Proof-of-Stake Algorithm
http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/[/quote]

I think the paper is deceptive. The author argues a solution, but the problem isn’t there. The “Nothing at stake” myth that is referred to, has been debunked. Check out Jordan’s post here: http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303