<a​sdfqwfe:matrix.org> If we stick with pure PoW, we will always be vulnerable to 51% attacks from large actors with nuclear powered data centers.

<a​sdfqwfe:matrix.org> I don't understand why people shit on PoS so much.

<b​asses:matrix.org> #monero:monero.social

<g​ingeropolous:monero.social> so is this more ai slop or does it actually make sense: github.com/Gingeropolous/friction/blob/main/README.md

<e​longated:matrix.org> Cubic can keep mining for a few months and then abuse ?

<g​ingeropolous:monero.social> the window would be huge, and it does have that same issue as the "block reward staking" idea regarding the current attack. basically it needs to be implemented 8 years ago. But you know what they say, the best time to plant a tree is 20 years ago. The second best time is now.

<e​longated:matrix.org> With staking you don’t want your stake value go down, so you don’t indulge in nefarious activities

<e​longated:matrix.org> In your case, they can keep mining and selling build reputation and then attack

<b​asses:matrix.org> this is AI generated? if so, how do u think AI can ever solve such an issue if it sucks with day-to-day tasks?

<g​ingeropolous:monero.social> it didn't come up with the idea. i had the idea and instructed it to flesh it out.

<t​orir:matrix.org> That explains the vagueness at times that is typical of AI. The paper also reads like a mix of three ideas. Maybe they should be three different proposals. Overall it just sounds rough and unfinished.

<u​ntraceable:monero.social> If BTC were to be used for renting hash it should be to p2pool. It is possible, as I am doing it now.

<m​onerobull:matrix.org> most of the time it is a vehicle for a de-facto dev fee

<m​onerobull:matrix.org> Monero has already reached tail emission and should be quite distributed by now. Unlike most other PoS chains, no one exchange, VCs or foundation holds massive portions of the supply

<m​onerobull:matrix.org> imo the PoS finality layer is the best solution

<u​ntraceable:monero.social> +1

<d​uckduckgouygu:matrix.org> +1

<j​ohn_r365:monero.social> Doesn't a PoS finality layer just shift potential attacks to a new layer? What stops a bad actor accumulating XMR for staking, and then using their large stake to attack the network via the validation layer?

<s​yntheticbird:monero.social> That is the point brought by ArticMine. KayabaNerve argument is that we essentially shift the damage to just halting the network

<m​onerobull:matrix.org> an outsider accumulating XMR for a staking attack would significantly push up the price, attacking a sufficiently large PoS system is insanely expensive, much more so than renting CPUs/GPUs

<m​onerobull:matrix.org> in the slower finality layer design the PoW chain would still grow

<s​yntheticbird:monero.social> ngl I'm not convinced by this. Some actors can very easily buy big amount of XMR "off-the-grid" and therefore not pump the price

it was suggested that only mined outputs before moving count for staking

<s​yntheticbird:monero.social> DataHoarder rejected by some

they could be bought off grid, but private keys would be shared at that point

<s​yntheticbird:monero.social> not rejected, more like not supported

<s​yntheticbird:monero.social> DataHoarder, no you just have to sell in F2F or P2P, without any notifying anyone

<a​sdfqwfe:matrix.org> Does that compromise fungibility though. Two classes of coins.

<s​yntheticbird:monero.social> arbitrage is what changes the price but for that the exchanges prices needs to change accordingly to demand/offer, which will not change if they just exchange P2P in secret

we already have two classes of coins, the encrypted amounts and the public amounts in miner outputs, and p2pool causes a lot of dust that can be used to track likely moves p2pool.observer/sweeps

<m​onerobull:matrix.org> thats why fcmp++ is coming

<s​yntheticbird:monero.social> i would be lmao if luigi come back from vacation and be like "wtf is going on here"

<m​onerobull:matrix.org> syntetic you cant hide from simple economics

<m​onerobull:matrix.org> unless it is literally an OG miner who has never really sold any of their XMR, it will have an impact on the price

<a​sdfqwfe:matrix.org> In PoW, the cost to attack and the cost to defend are 1:1. And state actors will always have more resources.

<s​yntheticbird:monero.social> by all mean explain to me how state actor A telling exchange B to sell the XMR to them at N price without changing the price or notifying their oracle will change the price

<a​sdfqwfe:matrix.org> In PoS, it asymmetrically favors defense.

<a​sdfqwfe:matrix.org> You have to pump the bags of the hodlrs in order to attack.

<m​onerobull:matrix.org> same way you cant secretly print money without it effecting the wider economcy. supply and demand works like a mirror, you dont need to be aware of it for it to have an effect

<s​yntheticbird:monero.social> can you have copy pasting your text please

<s​yntheticbird:monero.social> monerobull that changes the wider economy because it fucking blend into the circular economy. If I buy monero and let them sit nothings gonna happen

<m​onerobull:matrix.org> the reduced supply on exchange B will drive up the price by itself

<m​onerobull:matrix.org> not instantly

<m​onerobull:matrix.org> but over time, you cant take a ton of monero out of circulation and have the price stay the same

<m​onerobull:matrix.org> analysis by grok

<m​onerobull:matrix.org> Calculation

<m​onerobull:matrix.org> Estimated Staked Supply: 40% of 18.45 million XMR = 7.38 million XMR staked.

<m​onerobull:matrix.org> Staked Market Value: 7.38 million XMR × $257 ≈ $1.9 billion.

<m​onerobull:matrix.org> Amount Needed for Attack: 33% of staked supply = 0.33 × 7.38 million XMR ≈ 2.46 million XMR.

<m​onerobull:matrix.org> Nominal Cost: 2.46 million XMR × $257 ≈ $632 million.

<s​yntheticbird:monero.social> the famously trustable and public supply we definitely can audit, thus the last part of my sentence "without changing the price or notifying their oracle"

<t​orir:matrix.org> You can't buy from an exchange without affecting the price, since you will be depleting sell orders on the exchange (unless the exchange is stealing from its customers). You need to buy from someone who hasn't listed their Monero for sale. But there is a finite amount you can acquire that way, and eventually you will have to turn to sources that have a visible effect on the market.

<m​onerobull:matrix.org> 600 million is a decent chunk, even for state actors.

<m​onerobull:matrix.org> and that doesnt include the rapid price increase from buying 600M worth of xmr lol

<m​onerobull:matrix.org> took the btc hacker only tens of millions to push up the price to $400

<m​onerobull:matrix.org> so going off of groks numbers, that could easily escalate to 2-5 billion with B

<m​onerobull:matrix.org> not to mention that staking by honest stakes is in itself likely to push up the price as new people join and want to become stakers

<m​onerobull:matrix.org> as long as the entire system isnt tiny, PoS is much more expensive to overtake than PoW

<j​ohn_r365:monero.social> As I understand it, the current risks with PoW/Qubic are:

<j​ohn_r365:monero.social> - They perform more/deeper re-orgs, which slows transaction confirmation times and potentially reverses older transactions

<j​ohn_r365:monero.social> - Double spend in such a way that an organisation has financial repercussions (exchange theft would be the obvious example)

<j​ohn_r365:monero.social> - They monopolize the block reward at the exclusion of other miners

<j​ohn_r365:monero.social> Did I miss anything?

<j​ohn_r365:monero.social> It would be interesting to create a risk comparison table with existing PoW and then what happens if a PoS finality layer is compromised by a bad actor.

<s​yntheticbird:monero.social> whatever, I'm disagreeing as I think you're taking assumptions on the normal market condition which I described as irrelevant in the situation I described.

<m​onerobull:matrix.org> you are ignoring the wider economic impacts it would have if someone tries to buy even 100M in xmr

<m​onerobull:matrix.org> you cant just go "they will OTC it" and act like that invalidates any price action

<t​orir:matrix.org> I don't think any seller exists who has 100M in XMR to sell OTC.

<m​onerobull:matrix.org> yeah

<m​onerobull:matrix.org> and if there were any

<m​onerobull:matrix.org> why wouldnt they be honest stakers and rake in xmr?

<m​onerobull:matrix.org> very few people would sell their infinite money printer for a one-time payment

<t​orir:matrix.org> I feel if we do any sort of PoS, we need some way to prevent exchanges from secretly staking customer funds.

staking seems like a much more efficient solution to me, but dumb question, if we dont know anyones balance how can we know if someone owned 51% of monero? or does staking show up this info without breaking anonymity? and all the other unstaked coins have no effect on control?]

<a​ntilt:we2.ee> XMR distribution is likely as in most similar systems: more or less gaussian (bell shape). But there are ways to manage this, with penalties and weighting, etc

<m​onerobull:matrix.org> lock and unlock windows

<m​onerobull:matrix.org> on aave umbrella, you need to signal 20 days ahead that you want to withdraw staked coins

<m​onerobull:matrix.org> then you have a 5 day window to make the withdrawal, if you dont, the window resets

<a​sdfqwfe:matrix.org> We couldnt know if they owned 51% of Monero... We could know if they're using that 51% to do an attack

<m​onerobull:matrix.org> the only attack the finality layer could do is stop finalizing, right?

<m​onerobull:matrix.org> at which point the PoW chain keeps going as usual

<r​brunner7:monero.social> john_r365: If you don't wat to restrict to purely technical things, "reputation damage", "loss of trust in the currency", "reduced value in fiat" might make the list as well

so you could slowly accumulate, then suddenly do the attack without any warning

<m​onerobull:matrix.org> as if accumulating 36% of the monero stake would not push up the price

<j​ohn_r365:monero.social> rbrunner7: agree with all of those. was trying to stick to the technical aspects, and then yes, all of the reputation/fiscal damage would be downstream.

<a​ntilt:we2.ee> <34% stop, <66% compromise

assuming that much would ever be up for sale on the market compared to what is sitting in wallets too

<a​ntilt:we2.ee> validators are rotated, though

<j​ohn_r365:monero.social> I guess my main concern is around articmine's idea of avoiding a worse situation than we have now. And currently I don't understand all the risk/failure modes of the PoS finality layer

<m​onerobull:matrix.org> right now transactions can be reverted

<m​onerobull:matrix.org> the feds could be forcing amazon to mine a chain right now

<m​onerobull:matrix.org> that would instantly nuke our entire blockchain as soon as broadcasted

<m​onerobull:matrix.org> and it wouldnt even be that expensive

<a​ntilt:we2.ee> unfortunately

<m​onerobull:matrix.org> they could literally already have a killswitch for monero

<a​ntilt:we2.ee> Qubic I see as a test case. Could be worse

if there is going to be some major changes, please consider implementing some form of quantum resistance as well, I dont want future governments going back over my current transactions ;)

<a​ntilt:we2.ee> money launderer spottet !1!!

<m​onerobull:matrix.org> doesnt the fcmp++ fork already add perfect forward secrecy

<r​brunner7:monero.social> I think there are some limitations, but basically yes FCMP++ achieves forward secrecy

<j​ohn_r365:monero.social> monerobull: yes, I suppose if there is no limit to re-org depth your thought experiment is correct. but wouldn't you prefer to know a bit more about PoS failure states before jumping to conclusion that it's our saviour?

haha I just think doing crypto taxes is too difficult and confusing

<r​brunner7:monero.social> As I understand, that is what is in reach right now, and not just a castle in the sky, technologically.

<j​ohn_r365:monero.social> *PoS finality layer

definitely ill make some mistakes

<d​rinksomemilk:matrix.org> Aside from the technical reality the public perception of PoS without having a way of seeing the amounts in wallets might be problematic. Could still be worth it though. Dunno

<m​onerobull:matrix.org> if i understand it correctly you can halt finalization @ 34% and compromise it at 67%, even the 34% could have never been reached by qubic

<j​ohn_r365:monero.social> monerobull: when it comes to a 67% attack, what can the attacker actually do?

<a​ntilt:we2.ee> valid point, but has been solved technically to some degree

<m​onerobull:matrix.org> our entire supply is hidden, this is not a strong point imo

<d​rinksomemilk:matrix.org> Still i feel like PoS amplifys this to some degree

<m​onerobull:matrix.org> if a serious attacker already had such a massive amount of the supply, they could have already used it to completely destroy the price

<m​onerobull:matrix.org> and keep it down for years

<j​ohn_r365:monero.social> kayabanerve: I'm not sure where things got to yesterday with your plans to further document a PoS finality layer. If you're continuing with this, it'd be great to see a table comparing the risks with PoW as things stand now (re-orgs/double spend/transaction finality delay etc) with the risks of an attack on the finality layer - both at 34% and 67%.

<d​ufebo98:monero.social> actually our friend Dash is using PoW+finality layer. Has anyone analyzed its weaknesses

<d​rinksomemilk:matrix.org> How would the economics of the PoS finality layer work? Wouldnt this reduce rewards for miners since tail emission has to be shared with PoS Validators

<a​ntilt:we2.ee> for now, its discussed as a variant of finality layer. Introduced as permissioned emergency measure. Validators need fixed amount to stake

<a​ntilt:we2.ee> there are endless possible design choices. But keeping p2pool + small miners afloat is the general consensus afaict

<j​ohn_r365:monero.social> drinkyourmilk: right, presumably the validators would want some compensation for doing this.

<j​ohn_r365:monero.social> One interesting way to model what might be a valid split between PoW and PoS is to look at the annual percentage yield (APY) for stakers.

<j​ohn_r365:monero.social> If the reward was split 50/50 with 216 XMR per day going to stakers, given the current price of XMR ($250) it would mean an annual return of ~$20m for stakers

<j​ohn_r365:monero.social> An economically rational staker is going to want some reasonable rate of return. I believe for ETH staking it's around 3% APY, and the FED funds rate is currently ~4.33%

<j​ohn_r365:monero.social> A $20m annual return would mean that up to $985m XMR could be staked to yield 2% return.

<j​ohn_r365:monero.social> $985m, basically $1B seems like a reasonable moat. However, it would mean the security budget for miners goes to $54,000 per day.

<j​ohn_r365:monero.social> If the split was 75% to PoW miners and 25% to stakers, it would mean we halve the values above.

<j​ohn_r365:monero.social> I.e. to yield 2% return up to $~500m could be staked.

<j​ohn_r365:monero.social> obviously this gets complex as the price of monero rises or falls.

<j​ohn_r365:monero.social> supposing XMR went back to the $140 to $180 range, which it hovered around in 2022-2024

<j​ohn_r365:monero.social> to achieve a 2% rate of return from staking, if the return is 25% of the block reward (39,420 per year (108 XMR * 365)) and we average a price of $160

<j​ohn_r365:monero.social> the max that could be staked is ~$315m. Obviously more can be staked, but the APY would go under 2%.

<j​ohn_r365:monero.social> Of course, for people that are stacking XMR and hoping it appreciates in price, they may be ok with staking XMR to yield a rate of return substantially under inflation.

<j​ohn_r365:monero.social> Their "loss" in inflation terms would hopefully be compensated by asset appreciation.

<j​ohn_r365:monero.social> But it's unclear how much capital that would attract, so that's why I mention the above.

<m​onerobull:matrix.org> true

<m​onerobull:matrix.org> right now, i would stake at 2%, obviously

<m​onerobull:matrix.org> once serai is live, the pools likely are going to have much higher APY than that

<a​sdfqwfe:matrix.org> The Federal Fund rate is like 4% but that's measured in fiat. They print like 10% per year.

<a​sdfqwfe:matrix.org> Having any positive APY denominated in a hard asset is great!

<a​sdfqwfe:matrix.org> Even gold has a 1.5% inflation from mining

<j​ohn_r365:monero.social> I suppose just to loosely model the other side, with stakers getting 25% of the block reward.

<j​ohn_r365:monero.social> Supposing XMR price went UP to $500 per token, we would be back at the possibility of $1B of XMR being staked to yield a return of 2%.

<j​ohn_r365:monero.social> Hypothetically, what do people think miners would accept in terms of a cut to their block reward? Is losing 25% acceptable? Meaning they receive 0.45 XMR per block.

<j​ohn_r365:monero.social> I guess part of this whole issue is the current reward (in fiat terms) is already too low to fully secure the network. Is weakening the PoW security budget acceptable if the finality layer is added?

<e​longated:matrix.org> Them getting paid something of real value is better than getting paid more on a chain that’s worth less due to a 51% attack.

<j​ohn_r365:monero.social> elongated - fair point - I guess the risk is a contentious HF with some miners staying on PoW and the rest moving to hybrid PoW/PoS

<r​edsh4de:matrix.org> An idea was floated of increasing the minimum transaction fee by a factor of 10-16, and then routing 10% of the block reward to finality layer validators. That way miners wouldnt really receive that much less, and the tx fee increase wouldnt impact the UX that critically

<e​longated:matrix.org> Like it happened with CN/randomx ? Gpu boot? This is less contentious

<r​edsh4de:matrix.org> Or we could route transaction fees to validators, and miners get the block rewards.

<j​ohn_r365:monero.social> redsh4de - interesting, i haven't done the maths on what % of the daily reward (432 XMR) transactions fees might capture if the minimum fee was raised by 10-16x. But I do remember fees being (currently) a very small percentage of overall reward

<e​longated:matrix.org> Stackers need enough incentives

<a​sdfqwfe:matrix.org> What are the risks of staking? I've heard people always/often stake using datacenters with great uptime because if your Internet cuts out, then there's a risk of losing what your staked through slashing fees.

<r​edsh4de:matrix.org> Then the minimum tx fee could be boosted regardless. I feel like due to the hardware cost of staking being so low, there isnt much you have to “recoup”, and the stake can be withdrawn so any incentive could be good enough to incentivise staking. i.e. ETH stakers barely earn 2% APY right now. Besides, at the moment PoW mining is objectively unprofitable for your average joe, wh<clipped message>

<r​edsh4de:matrix.org> ile with the layer even if the profit being tiny, they would be still some kind of profit. So in that sense, the incentives there can be argued to be higher

<a​sdfqwfe:matrix.org> We should try to make the staking attractive to people doing it on their home computer with less than perfect internet.

<r​edsh4de:matrix.org> Then the minimum tx fee could be boosted regardless. I feel like due to the hardware cost of staking being so low, there isnt much you have to “recoup”, and the stake can be withdrawn so any incentive could be good enough to incentivise staking. i.e. ETH stakers barely earn 2% APY right now. Besides, at the moment PoW mining is objectively unprofitable for your average joe, wh<clipped message>

<r​edsh4de:matrix.org> ile with the layer even if the profit being tiny, they would still be making some kind of profit in terms of XMR. So in that sense, the incentives there can be argued to be higher

<s​pirobel:kernal.eu> APY is for boomers. it makes tax filing more complicated. and practically there is no purpose to nominal inflation. great you got more of coins, but there are more now, so whats the point? apy just attract midwit stakers that think they are getting something.

<s​pirobel:kernal.eu> (not my take but it has some truth to it)

<m​onerobull:matrix.org> at least one of kayabas suggestions works over tor

<r​edsh4de:matrix.org> Which one was the one compatible with Tor?

<m​onero.arbo:matrix.org> the donation address only has like 0.2 BTC --- have we been sweeping coins to a different wallet or is that the entire balance

<a​ntilt:we2.ee> monero-project/research-lab #135 -- asynchronous BFT: # of validators may vary

<r​edsh4de:matrix.org> I agree that an asynchronous one makes more sense for Monero. Tor/I2P etc should be supported, anonymity networks go hand in hand with Monero

<t​orir:matrix.org> "The communication complexity will prevent thousands of participants in consensus however." We need thousands of participants if we don't want PoS to become defacto centralized though...

<t​orir:matrix.org> Can't be harder than FCMP++*, maybe we can find a solution to make it scale.

<t​orir:matrix.org> * For all I know it could be much much harder.

<k​ayabanerve:matrix.org> I plan to submit a CCS today or tomorrow.

<k​ayabanerve:matrix.org> Sorry, that was meant to be in reply to john_r365: asking me for info on how a FL would look.

<r​ucknium:monero.social> kayabanerve: Are you familiar with Avalanche? That would be a "Leading Finality Layer". I don't know much about it.

<k​ayabanerve:matrix.org> My answer: I'll submit a CCS to answer that :p

<r​ucknium:monero.social> I don't know how Avalanche works, exactly, but if it works as well as in my dreams, it fixes the empty mined block problem. Trailing Finality Layer doesn't, AFAIK.

<k​ayabanerve:matrix.org> Rucknium: I am familiar with it, including how it's a very bad idea.

<k​ayabanerve:matrix.org> It isn't proven to asynchronously (despite that popular claim) and it inherently only has a sqrt safety bound. For 1,000,000 nodes, only 1,000 have to be malicious.

<k​ayabanerve:matrix.org> It also only ever achieves probabilistic finality.

<k​ayabanerve:matrix.org> There's a modified variant which is... up to 25%?

<k​ayabanerve:matrix.org> But again, it's not proven in the async model so it's immediately disqualified IMO.

<t​orir:matrix.org> Probabilistic finality being a small chance we can make arbitrarily small like ZK proofs or some larger number we just have to live with?

<k​ayabanerve:matrix.org> The former, except the point of Avalanche is 'constant' communication complexity where you only query a few random nodes

<k​ayabanerve:matrix.org> To have probability be negligible, you need to increase queries as nodes increase, and it's no longer negligible iirc

<k​ayabanerve:matrix.org> **no longer constant

<k​ayabanerve:matrix.org> I may be wrong due to graph theory? Maybe you can get a suitable result just with many many rounds, even with few queries, due to some logarithm being taken at some point (such as for graph diameter)?

<k​ayabanerve:matrix.org> (the capacity of a graph with a bounded diameter is exponential to the diameter)

<v​tnerd:monero.social> Sounds like a centralization problem with pos then - everyone just puts their stuff on AWS or even easier exchanges, and then it's just those entities battling each other over control

<a​sdfqwfe:matrix.org> There's nothing decentralized about a nuclear datacenter

<k​ayabanerve:matrix.org> Hence why support for Tor, and no requirement on a fixed IP which supports port forwarding, would be so valuable.

<a​ntilt:we2.ee> i'm afraid, but the question is more WHERE we want a little centralization not IF. I prefer our 14 supernodes (pool ops) ... but delegation opens another can of worms....

<k​ayabanerve:matrix.org> I ended up doing a very brief outline for CCS, though obviously I expect the completed work to be similar in content/thickness as my FCMP++ paper (albeit angled for wider understandability throughout the community). repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/604

<v​enture:monero.social> WHERE centralization not IF, might be the bitter reality. I can't evaluate all the design choices, but instinctively I would prefer any risk of centralization (if this is unavoidable, given the CAP theorem?) on a TFL, trailing finality layer.

<v​enture:monero.social> but to diverge centralization risk from PoW layer to TFL, maybe enforcing miner-signatures are needed in conjunction?

A kind of second-check, PoS FL to act alongside PoW layer, giving a balance of checks of HP and those (literally) invested in the network having longer term value might be good. But.... restricting FL to a small set of select "super nodes" is very ick.

<i​nterestingband:matrix.org> a book instead of code or even research paper ? :D

<i​nterestingband:matrix.org> your skill of writing a lot of text is certainly sutiable better for literature rather programming, no doubt

<i​nterestingband:matrix.org> good luck

<i​nterestingband:matrix.org> your skill of writing a lot of text is certainly sutiable better for literature rather than programming, no doubt

<k​ayabanerve:matrix.org> Book like gitbook, not like paperback. It'd be of comparable density and breadth to my FCMP++ paper, just more to get _everyone_ up to speed rather than _developers_.

<i​nterestingband:matrix.org> useless anyway