Proof-of-stake (PoS) protocols are a class of consensus mechanisms for blockchains that work by selecting validators in proportion to their quantity of holdings in the associated cryptocurrency. This is done to avoid the computational cost of proof-of-work (POW) schemes. The first functioning use of PoS for cryptocurrency was Peercoin in 2012, although the scheme, on the surface, still resembled a POW.[1]
For a blockchain transaction to be recognized, it must be appended to the blockchain. In the proof of stake blockchain the appending entities are named minters or validators (in the proof of work blockchains this task is carried out by the miners);[2] in most protocols, the validators receive a reward for doing so.[3] For the blockchain to remain secure, it must have a mechanism to prevent a malicious user or group from taking over a majority of validation. PoS accomplishes this by requiring that validators have some quantity of blockchain tokens, requiring potential attackers to acquire a large fraction of the tokens on the blockchain to mount an attack.[4]
Proof of work (PoW), another commonly used consensus mechanism, uses a validation of computational prowess to verify transactions, requiring a potential attacker to acquire a large fraction of the computational power of the validator network.[4] This incentivizes consuming huge quantities of energy. PoS is more energy-efficient.[5]
Early PoS implementations were plagued by a number of new attacks that exploited the unique vulnerabilities of the PoS protocols. Eventually two dominant designs emerged: so called Byzantine Fault Tolerance-based and chain-based approaches.[6] Bashir identifies three more types of PoS:[7]
committee-based PoS (a.k.a. nominated PoS, NPoS);
delegated proof of stake (DPoS);
liquid proof of stake (LPoS).
The additional vulnerabilities of the PoS schemes are directly related to their advantage, a relatively low amount of calculations to be performed while constructing a blockchain.[8]
The low amount of computing power involved allows a class of attacks that replace a non-negligible portion of the main blockchain with a hijacked version. These attacks are called in literature by different names, Long-Range, Alternative History, Alternate History, History Revision, and are unfeasible in the PoW schemes due to the sheer volume of calculations required.[9] The early stages of a blockchain are much more malleable for rewriting, as they likely have much smaller group of stakeholders involved, simplifying the collusion. If the per-block and per-transaction rewards are offered, the malicious group can, for example, redo the entire history and collect these rewards.[10]
The classic "Short-Range" attack (bribery attack) that rewrites just a small tail portion of the chain is also possible.[9]
Since validators do not need to spend a considerable amount of computing power (and thus money) on the process, they are prone to the Nothing-at-Stake attack: the participation in a successful validation increases the validator's earnings, so there is a built-in incentive for the validators to accept all chain forks submitted to them, thus increasing the chances of earning the validation fee. The PoS schemes enable low-cost creation of blockchain alternatives starting at any point in history (costless simulation), submitting these forks to eager validators endangers the stability of the system.[8] If this situation persists, it can allow double-spending, where a digital token can be spent more than once.[10] This can be mitigated through penalizing validators who validate conflicting chains[10] ("economic finality"[11]) or by structuring the rewards so that there is no economic incentive to create conflicts.[3] Byzantine Fault Tolerance based PoS are generally considered robust against this threat.[12]
Bribery attack, where the attackers financially induce some validators to approve their fork of blockchain, is enhanced in PoS, as rewriting a large portion of history might enable the collusion of once-rich stakeholders that no longer hold significant amounts at stake to claim a necessary majority at some point back in time, and grow the alternative blockchain from there, an operation made possible by the low computing cost of adding blocks in the PoS scheme.[10]