3.1 Is Proof-of-Stake Impossible? There are very serious theoretical hurdles to any proof-of-stake system. The main argument against the very possibility of a proof-of-stake system is the following: a new user downloads a client and connects for the first time to the network. He receives a tree of blocks with two larges branches starting from the genesis hash. Both branches display a thriving economic activity, but they represent two fundamentally different histories. One has clearly been crafted by an attacker, but which one is the real chain? In the case of Bitcoin, the canonical blockchain is the one representing the largest amount of work. This does not mean that rewriting history is impossible, but it is costly to do so, especially as one’s hashing power could be used towards mining blocks on the real blockchain. In a proof-of-stake system where blocks are signed by stakeholders, a former stakeholder (who has since cashed out) could use his old signatures to costlessly fork the blockchain — this is known as the nothing-at-stake problem. 3.2 Mitigations While this theoretical objection seems ironclad, there are effective mitigations. Animportantinsightistoconsiderthatthereareroughlytwokindofforks: very deep ones that rewrite a substantial fraction of the history and short ones that attempt to double spend. On the surface there is only a quantitative difference between the two but in practice the incentives, motivations, and mitigation strategies are different. Nosystem is unconditionally safe, not Bitcoin, not even public key cryptog- raphy. Systems are designed to be safe for a given threat model. How well that model captures reality is, in fine, an empirical question. 3.2.1 Checkpoints Occasional checkpoints can be an effective way to prevent very long blockchain reorganizations. Checkpoints are a hack. As Ben Laurie points out, Bitcoin’s use of checkpoints taints its status as a fully decentralized currency[14]. Yet, in practice, annual or even semi-annual checkpoints hardly seem prob- lematic. Forming a consensus over a single hash value over a period of months is something that human institutions are perfectly capable of safely accomplish- ing. This hash can be published in major newspapers around the world, carved on the tables of freshmen students, spray painted under bridges, included in songs, impressed on fresh concrete, tattooed on pet ferrets... there are countless ways to record occasional checkpoints in a way that makes forgery impossible. In contrast, the problem of forming a consensus over a period of minutes is more safely solved by a decentralized protocol. 13