From what I know about Ouroboros, I can with relative certainty say that out of all attacks described here: http://cryptowiki.net/index.php?title=Proof-of-work_system#Attacks
Not relevant for Ouroboros:
Attack from afar (long range)
In a system with PoS-agreement, an attacker with sufficient computing power can try to build an alternative blockchain, starting with the first unit.
Afaik, cannot be performed in Ouroboros in the same sense, since each slot is already assigned to a specific leader starting with the genesis-block. May be performed only by compromising private keys of known historical slot-leaders.
Why I don’t see it as a problem - this attack is a subtype of a 51% attack, cuz if you have an ability to compromise slot-leader’s private keys you may just compromise >51% of current leaders and do whatever. Compromising only keys of historical leaders (like, some historical block-producers may try to sell their keys afterwards) is not effective, cuz you would not be able to rebuild the current tail of the chain.
Also, as I understand - the Ouroboros’s rule is that node always trusts first version of a block for a specific slot that he has received, so if I get it right: if current chain tail is the block X, and you’re the malicious slot-leader on the X+1 slot - previous leader hands you a chain and you try to replace the whole chain so that it now ends in block X’ and you build on top of it. Well if you broadcast it - previous leader would just reject the whole chain, cuz he already signed and verified the block X and the chain behind it that was already signed by slot-leaders. And so would do all the other nodes that’ve already received block X.
But as I said - long range is a 51% attack in Ouroboros, so if you can build a longer chain - you can just ignore everyone else.
In comparison - Casper FFG tries to solve exactly this problem in Ethereum, and their solution is a set of validators that put on-chain vote for a specific branch each 50 blocks also referencing their own previous vote. So after 100 block chain gets completely finalised and 51% PoW attack cannot rebuild long-range, but rather only after last hard checkpoint (100 blocks). But if I understand it correctly the whole thing can also be easily compromised by stealing private keys of 66% of validators. Because anything in blockchain may be broken by stealing private keys.
Attack by precomputing (grinding)
Not relevant, since Ouroboros uses distributed coin-tossing for randomness. Afaik, you can only affect it (with a point) by compromising 100% of tossing participants, since even if you own 99 out of 100 nodes - the last node will still produce an unpredictable randomness, so grinding is still impossible.
Kinda relevant for Ouroboros:
Sending a large number of “garbage” data node that handles the transaction may complicate its work.
But I don’t really know if and how any network could protect it’s nodes from being DoSed with a bunch of invalid transactions that they still need to process in order to reject. But it seems that it’s still not a protocol issue as described here: https://ethereum.stackexchange.com/a/86
Attack by bribes (short range)
Send transaction to exchange. Receive goods. Bribe some miners to recreate past history and revert the transaction.
Well, again, it seems to be the same issue as with stealing private keys - if you control >51% of slots you may just don’t care what everyone else thinks, but then network would not cost really much )
In more practical sense:
Option 1 would be to try to actually recreate last blocks. This would fail for the reason described above - other nodes would already have a version of a block at slot X, signed by a valid leader for that slot. When they receive new version of the block for the same slot, signed by the same key - they not only ignore it, but they also immediately assume the this leader is compromised, since there’s a proof of double-sign.
Option 2 would be possible if a malicious party control a significant number of slots in a row. In this case they could selectively miss some blocks, to make main chain shorter, and at the same time prepare in background a parallel chain of the greater length where double-spend transaction is executed, and at some point subvert main chain by this fork. A situation like this could easily be explained by honest network problems.
The last option is in my opinion actually the scariest thing that may happen in Ouroboros, but it’s kinda solved by these things:
Attack like this would require a fair bit of preparation, and in the Ouroboros Praos, if I’m not mistaken, slot-leader list is already encrypted (or at least there was a definite plan from IOHK to make it encrypted at some point), so no slot-leader would know ahead of time that he’s controlling a particular block. This would prevent a malicious party from a) knowing that they will have a long-strip of slots under control; and b) knowing which node to corrupt, in order to gain access to a particular slot. The more power malicious party gets - the more chance it has to get a long chunk of slots and to perform a double-spend, so it’s kinda also moves towards a 51% problem that should be solved by honest majority. Also there’s this pic from the Prof. Aggelos’ slides: https://i.imgur.com/HLG3xqo.jpg It shows that a malicious party needs to control at least 40% of all stake in order to have a slightest chance to do anything bad.
Wait for confirmations as described here: https://cardanodocs.com/cardano/transaction-assurance/
Trust latest history even less if there’re visible missing nodes or forks
There actually could be a software solution that would confirm that a transaction was successfully validated by a % of nodes, so the closer this number gets to the 100% - the lower the chance that there could be a double-spend.
I would be really grateful for anyone to guide me to some additional info on how Ouroboros solves this particular last problem.