Hi, I've been reading a discussion on decred here: https://bitcointalk.org/index.php?topic=1831784.0 The discussion ended rather unsatisfactorily, with the objects of 'iamnotback' not well understood by others and ending without real agreement or resolution. I'm interested to know where this discussion went (if it indeed continued outside this thread). Is decred indeed vulnerable in the way mentioned, so that the fewer decred being staked (and therefore the higher % of the staked pool you control), the lower the hashrate needed to double spend? It does indeed seem to me that as the popularity of decred goes up, the % staked will go down. If so, is this a fatal flaw with decred, or something that can be fixed in the future? If it can be fixed, what would that look like? Thanks
This was answered several places. The short answer is that, given an apples to apples comparison, it is significantly more expensive to attack Decred's system than Bitcoin's system, even under less than ideal circumstances. The following numbers are a little dated now, but the same still holds true. In fact, the gap is even wider if you were to use the fact that a single bitcoin is now closer to 7k versus the 1k it was at the time. As of March 31, 2017, at its peak, there was an estimated 4,161,948 TH/s of hashing power securing the Bitcoin network. So in order to successfully attack Bitcoin, you would need 51% of that which is 2,122,593 TH/s. Also, let's discount the fact that with the amount of money we're talking about here you could just pay to have your own ASIC built out in a fab for even less, but let's just keep it simple using released hardware. An Antminer S9 provides 14 TH/s @ 3000 USD. Thus, to achieve that 51%, you would have only needed to acquire approx 151,614 Antminer S9s * 3000 = $454,842,000 USD. Now, for an apples to apples comparison, let's assume Bitcoin used Decred's hybrid system and thus we'll use the same coin supply, the same price per coin, and the same PoW hash rate. As of that same March 31, 2017 date, there were around 16,248,000 bitcoins in circulation at a cost of roughly 1000 USD per coin. Let's go ahead and use some less than favorable numbers and assume there is only 33% stake participation and calculate how much money it would take to attack the network by aiming to acquire 33% of the stake. Running the numbers, we can see ((1/0.33 - 1) * 0.33)^3 = 0.29, so you would also need roughly 29% of the hash power in addition to 33% of the stake. So, 33% of 33% of 16,248,000 coins ~= 1,769,407 * 1000 per coin = 1,769,407,000 USD for the PoS portion. Now, you also need 29% of the hash power, so 4,161,948 TH/s * .29 ~= 1,206,965 TH/s. Thus, you would need to acquire approx 86,212 Antminer S9s @ 3000 USD = 258,636,000 USD. So, in summary, all things being equal, you would need roughly 455 million USD to attack Bitcoin while you would need roughly 2.03 billion USD to attack Decred.
While 2.03 billion USD is significantly more than 0.455 billion USD, that invested money is less locked up than it is in the purchase of physical hardware. The coins can easily be resold in a way that miners can't be. If stake participation drops, then it sound like such an attack becomes much more reasonable. So it sounds to me like it's very important for Decred to keep stake participation high? Stake participation I assume can keep up as long as people can pool ticket purchases in the future. What happens when all the coins are mined? Is there any benefit to staking beyond the vote it gives you?
Buying nearly 10% of coin supply would be problematic. Selling 10% of coin supply would be non-trivial as well. You would have to plan it thoroughly, either long-running "stealth" market-buy and market-sell, or find a very fat OTC buyer. If your attack is successful, selling 10% of a successfully pwned coin becomes even more challenging. Hence the attacker must be ready to part with his attack budget. While I'm also curious, please note that according to current consensus rules it will happen somewhere around 2039. I believe dozens of hardfork voting rounds will complete by then, and one of them will be dedicated to this issue. One thing I agree with iamnotback on, is that I'd like to see several independent researchers hired to come up with various theoretical attacks on Decred's hybrid system, and ideally proofs that Decred is resistant to them or at least outperforms Bitcoin. Personally I have a gut feeling that this design is brilliant and it is the reason I'm heavily invested, but I'd be much more confident after more researchers confirmed it.