So the backdrop to this review is this twitter post:
According to the author:
“It demonstrates, among other things, that Ouroboros fails to replicate the core security guarantees of Nakamoto consensus”
The 103 pages technical paper can be found here:
I just read it myself.
For concern to Cardano is two suggested new forms of attack:
book-prize attacks and pseudo-transfer attacks.
It also has some interesting ideas regarding signal theory and how instead of having a cost to send a signal (like how you stake your value to participate in a lottery for proof of stake) you could make the cost zero for honest signals and very large for dishonest signals thus the author argues that the whole system design of both proof of work and proof of stake is flawed and presents 3 arguments for this to be the case (and we will tackle that part of the criticism first in this post):
The first premise is that it is very wasteful to make signals have cost and that a better approach is to identify and give a great enough cost to a dishonest signal. Problem is this all rests on fact you can correctly identify an dishonest signal and introduces a whole slew of problems on its own and angles of attack (masking dishonest signals etc. there are many good reasons why cryptocurrencies put a cost on signaling) so that the authors claim “There is thus no intrinsic reason that participants in permissionless consensus should be forced to waste money or computing power.” is for me a claim that has not been backed up by research as it rest on the fact that you do not need to imply such a cost. To put it into a mental image its like saying we only need to pay the guards to show up at the bank when the bank robbery is about to take place. Any other security system is wasteful in the authors opinion.
The second argument regarding signaling using a wrong statistical understanding is for me also flawed as it suggests models are based on statistical sampling when most models are based on mathematical assumptions and not sampling of data, and as we shall see this relates to the book-prize attack that is named after an “attack” on winner of Book of the Year in Netherlands because only 92000 voted for such a book price and 70% voted for a new translation of the bible because a group wanting to vote for this translation. So basically the argument is that the sample that participated in the voting was not representative of the entire population (Netherland) and they where able to vote something else than what the majority would have wanted. First it assumes the cost of not voting is the same - when lets be frank - not a majority of people in Netherland gave a slight concern to what would be the book of the year. Secondly it assumes that there is no incentive to participate in any such sampling. This is far from the case as Cardano gives staking rewards to participate in any voting (basically a negative cost otherwise known as a reward) and not only does it give such a price its a price in itself to protect the value of your current ADA by participating in the network to keep it safe, not to speak of social values / ideological reasons to wanting to have such a system for each individual user. To put it in a mental image its like saying you can steal this free pamphlet from the bank and this shows that the bank is not secure, while in reality it is because frankly the bank or the bank depositors does not care enough to want to tackle this stealing behavior.
The third argument is that corruption could be adaptive and basically if an attack robs a bank he would have resources to rob even more banks, or said in cryptocurrency terms the maximum resources an attacker can bring to bear is more than his current resources but the resources he have + the amount he can grab during any such attack or from outside the system involved. But this is also flawed as it assumes the user of said cryptocurrency would stand idle by to watch these attacks unfold and that the trickle of resources is not time limited nor sale of the token itself is not limited. In Cardano you would get a small trickle of resources flown into the system during any given time slot (20) seconds and even during an epoch this is far less than the resources available in the system and plenty of time for users to react to such an attack over time. Same with coins sold on the market. In a mental image its like saying Iraq can dominate saudi arabian oil field installations and attack them one by one while in reality at some point allies or the world would start to react before it was too late.
The conclusion that it costs a lot for users to participate in the signaling is also wrong, it costs a user very little computational power to delegate a stake to a pool, we are talking minutes or seconds in a 5 day period of time and a small fee much less than the reward. So this type of theoretical attack and not based on actual use cases in Cardano is for me very odd to see and not really based or grounded in reality.
The pseudo-transfer attack on the other hand rests on the premise that users can hide that they are in control since well internet is anonymous. Or as the author writes " It demonstrates that the adversary can execute a pseudo-transfer attack, in which it shifts stake between its own cryptographic addresses to generate the illusion of decentralization. The movement of stake on a Proof-of-Stake ledger therefore provides no assurance of security". Yes the movement in itself does not prove the pools and users are decentralized this is a fair assessment. KYC however does to quite an extent and is one of the reasons I am very much for transparency in ICO’s and from ownership from IOHK, EMURGO and CF. And it also still rests on the premise that the attack will be worth it for the attacker so that the costs of the signal is not too high. It does not help to shift around your ADA in different addresses if the cost of taking over the network is too high.
The author also suggest a form of attack where you buy a majority while the cryptocurrency is low in price and then attack when later the network has great value for a much reduced cost compared with the current value flowing in the system. But this is counter logic as if you have a majority at a greater value why would you even risk such an attack that could end up making the cryptocurrency fall like a rock in price as users discover that the currency is corrupted. Granted you could siphon out money slowly but still you risk any users finding out and then you will have a race to bottom to sell all the value you are sitting on. For me this only makes sense if say a government wanted to stop Cardano from getting off the ground. But if they did not do this at the very start (Highly unlikely) this type of attack gets harder and harder to accomplish and assumes that other governmental interest would not want to interfere. And frankly no cryptocurrency is currently safe from an attacker that is willing to bear the full cost of any such attack. (Say US wanting to sacrifice 1 trillion if that is the cost of the whole entire ADA ecosystem). However this assumes they are able to acquire said resource and what is stopping users from not selling for reasons that cannot be measured in valuations (freedom, liberty). In general I think social costs of attacks are very much an under-looked area of research.
Finally in regards to Oroborus failing to replicate core securities guarantees of Nakamoto concensus the author claims: "In Nakamoto consensus, late-joining agents are not forced to place their trust
in the initial set of protocol participants, because control of the protocol becomes verifiably decentralized as the total hashing power on the network expands; in Proof-of-Stake algorithms, the total quantity of cryptographic stake does not increase when new agents join the protocol, so the initial
participants can remain in control indefinitely.
It has previously been argued that, even if such an attack is
theoretically possible, it can be ruled out on a given blockchain once
enough stake has migrated to new addresses.
The present paper disproves this claim. It demonstrates that the adversary can execute a
pseudo-transfer attack, in which it shifts stake between its own
cryptographic addresses to generate the illusion of decentralization. The
movement of stake on a Proof-of-Stake ledger therefore provides no
assurance of security"
As you can read from above yes it is true that you can do pseudo transfer attacks as the current Cardano method has no Know Your Customer (KYC) after the initial distribution and so it is easy to fake identifies and shift money around to make a system look decentalized it still flawed since this does not matter for the safety of Cardano as it is design based on not knowing any single user and using mathematics to show the cost of gaining majority would be too large for any such attacker to consider such an attack. And the owners we do know from genesis/birth are very transparent and have a vested interest in not allowing any attack to sucseed (iohk emurgo cf) since they profit far more as Cardano grows as they have a majority of ADA and can only sell for profit if other users trust the system. (prices would plummit like a rock if say IOHK did a double spend attack).